Skip to content
GitLab
Menu
Projects
Groups
Snippets
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Menu
Open sidebar
ISC Open Source Projects
BIND
Commits
eff7f78b
Commit
eff7f78b
authored
Mar 05, 2011
by
Mark Andrews
Browse files
3061. [func] New option "dnssec-signzone -D", only write out
generated DNSSEC records. [RT #22896]
parent
3c618c6e
Changes
11
Hide whitespace changes
Inline
Side-by-side
CHANGES
View file @
eff7f78b
3061. [func] New option "dnssec-signzone -D", only write out
generated DNSSEC records. [RT #22896]
3060. [func] New option "dnssec-signzone -X <date>" allows
specification of a separate expiration date
for DNSKEY RRSIGs and other RRSIGs. [RT #22141]
...
...
bin/dnssec/dnssec-signzone.c
View file @
eff7f78b
...
...
@@ -29,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-signzone.c,v 1.26
6
2011/03/0
4 23:47:47 tbox
Exp $ */
/* $Id: dnssec-signzone.c,v 1.26
7
2011/03/0
5 06:35:40 marka
Exp $ */
/*! \file */
...
...
@@ -171,6 +171,8 @@ static isc_boolean_t disable_zone_check = ISC_FALSE;
static
isc_boolean_t
update_chain
=
ISC_FALSE
;
static
isc_boolean_t
set_keyttl
=
ISC_FALSE
;
static
dns_ttl_t
keyttl
;
static
isc_boolean_t
smartsign
=
ISC_FALSE
;
static
isc_boolean_t
output_dnssec_only
=
ISC_FALSE
;
#define INCSTAT(counter) \
if (printstats) { \
...
...
@@ -188,13 +190,69 @@ sign(isc_task_t *task, isc_event_t *event);
static
void
dumpnode
(
dns_name_t
*
name
,
dns_dbnode_t
*
node
)
{
dns_rdataset_t
rds
;
dns_rdatasetiter_t
*
iter
=
NULL
;
isc_buffer_t
*
buffer
=
NULL
;
isc_region_t
r
;
isc_result_t
result
;
unsigned
bufsize
=
4096
;
if
(
outputformat
!=
dns_masterformat_text
)
return
;
result
=
dns_master_dumpnodetostream
(
mctx
,
gdb
,
gversion
,
node
,
name
,
masterstyle
,
fp
);
check_result
(
result
,
"dns_master_dumpnodetostream"
);
if
(
!
output_dnssec_only
)
{
result
=
dns_master_dumpnodetostream
(
mctx
,
gdb
,
gversion
,
node
,
name
,
masterstyle
,
fp
);
check_result
(
result
,
"dns_master_dumpnodetostream"
);
return
;
}
result
=
dns_db_allrdatasets
(
gdb
,
node
,
gversion
,
0
,
&
iter
);
check_result
(
result
,
"dns_db_allrdatasets"
);
dns_rdataset_init
(
&
rds
);
result
=
isc_buffer_allocate
(
mctx
,
&
buffer
,
bufsize
);
check_result
(
result
,
"isc_buffer_allocate"
);
for
(
result
=
dns_rdatasetiter_first
(
iter
);
result
==
ISC_R_SUCCESS
;
result
=
dns_rdatasetiter_next
(
iter
))
{
dns_rdatasetiter_current
(
iter
,
&
rds
);
if
(
rds
.
type
!=
dns_rdatatype_rrsig
&&
rds
.
type
!=
dns_rdatatype_nsec
&&
rds
.
type
!=
dns_rdatatype_nsec3
&&
rds
.
type
!=
dns_rdatatype_nsec3param
&&
(
!
smartsign
||
rds
.
type
!=
dns_rdatatype_dnskey
))
{
dns_rdataset_disassociate
(
&
rds
);
continue
;
}
while
(
ISC_TRUE
)
{
result
=
dns_master_rdatasettotext
(
name
,
&
rds
,
masterstyle
,
buffer
);
if
(
result
!=
ISC_R_NOSPACE
)
break
;
bufsize
<<=
1
;
isc_buffer_free
(
&
buffer
);
result
=
isc_buffer_allocate
(
mctx
,
&
buffer
,
bufsize
);
check_result
(
result
,
"isc_buffer_allocate"
);
}
check_result
(
result
,
"dns_master_rdatasettotext"
);
isc_buffer_usedregion
(
buffer
,
&
r
);
result
=
isc_stdio_write
(
r
.
base
,
1
,
r
.
length
,
fp
,
NULL
);
check_result
(
result
,
"isc_stdio_write"
);
isc_buffer_clear
(
buffer
);
dns_rdataset_disassociate
(
&
rds
);
}
isc_buffer_free
(
&
buffer
);
dns_rdatasetiter_destroy
(
&
iter
);
}
/*%
...
...
@@ -3297,6 +3355,8 @@ usage(void) {
fprintf
(
stderr
,
"
\t\t
file format of signed zone file (text)
\n
"
);
fprintf
(
stderr
,
"
\t
-N format:
\n
"
);
fprintf
(
stderr
,
"
\t\t
soa serial format of signed zone file (keep)
\n
"
);
fprintf
(
stderr
,
"
\t
-D:
\n
"
);
fprintf
(
stderr
,
"
\t\t
output only DNSSEC-related records
\n
"
);
fprintf
(
stderr
,
"
\t
-r randomdev:
\n
"
);
fprintf
(
stderr
,
"
\t\t
a file containing random data
\n
"
);
fprintf
(
stderr
,
"
\t
-a:
\t
"
);
...
...
@@ -3397,7 +3457,6 @@ main(int argc, char *argv[]) {
isc_buffer_t
b
;
int
len
;
hashlist_t
hashlist
;
isc_boolean_t
smartsign
=
ISC_FALSE
;
isc_boolean_t
make_keyset
=
ISC_FALSE
;
isc_boolean_t
set_salt
=
ISC_FALSE
;
isc_boolean_t
set_optout
=
ISC_FALSE
;
...
...
@@ -3490,6 +3549,10 @@ main(int argc, char *argv[]) {
dsdir
,
isc_result_totext
(
result
));
break
;
case
'D'
:
output_dnssec_only
=
ISC_TRUE
;
break
;
case
'E'
:
engine
=
isc_commandline_argument
;
break
;
...
...
@@ -3759,6 +3822,12 @@ main(int argc, char *argv[]) {
serialformatstr
);
}
if
(
output_dnssec_only
&&
outputformat
!=
dns_masterformat_text
)
fatal
(
"option -D can only be used with
\"
-O text
\"\n
"
);
if
(
output_dnssec_only
&&
serialformat
!=
SOA_SERIAL_KEEP
)
fatal
(
"option -D can only be used with
\"
-N keep
\"\n
"
);
result
=
dns_master_stylecreate
(
&
dsstyle
,
DNS_STYLEFLAG_NO_TTL
,
0
,
24
,
0
,
0
,
0
,
8
,
mctx
);
check_result
(
result
,
"dns_master_stylecreate"
);
...
...
bin/dnssec/dnssec-signzone.docbook
View file @
eff7f78b
...
...
@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-signzone.docbook,v 1.4
5
2011/03/0
4 22:20:20 each
Exp $ -->
<!-- $Id: dnssec-signzone.docbook,v 1.4
6
2011/03/0
5 06:35:40 marka
Exp $ -->
<refentry
id=
"man.dnssec-signzone"
>
<refentryinfo>
<date>
June 05, 2009
</date>
...
...
@@ -60,6 +60,7 @@
<arg><option>
-a
</option></arg>
<arg><option>
-c
<replaceable
class=
"parameter"
>
class
</replaceable></option></arg>
<arg><option>
-d
<replaceable
class=
"parameter"
>
directory
</replaceable></option></arg>
<arg><option>
-D
</option></arg>
<arg><option>
-E
<replaceable
class=
"parameter"
>
engine
</replaceable></option></arg>
<arg><option>
-e
<replaceable
class=
"parameter"
>
end-time
</replaceable></option></arg>
<arg><option>
-f
<replaceable
class=
"parameter"
>
output-file
</replaceable></option></arg>
...
...
@@ -152,6 +153,22 @@
</listitem>
</varlistentry>
<varlistentry>
<term>
-D
</term>
<listitem>
<para>
Output only those record types automatically managed by
<command>
dnssec-signzone
</command>
, i.e. RRSIG, NSEC,
NSEC3 and NSEC3PARAM records. If smart signing
(
<option>
-S
</option>
) is used, DNSKEY records are also
included. The resulting file can be included in the original
zone file with
<command>
$INCLUDE
</command>
. This option
cannot be combined with
<option>
-O raw
</option>
or serial
number updating.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
-E
<replaceable
class=
"parameter"
>
engine
</replaceable></term>
<listitem>
...
...
bin/tests/system/dnssec/clean.sh
View file @
eff7f78b
...
...
@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: clean.sh,v 1.3
8
2011/03/0
4 14:07:03 smann
Exp $
# $Id: clean.sh,v 1.3
9
2011/03/0
5 06:35:40 marka
Exp $
exit
...
...
@@ -25,6 +25,7 @@ rm -f ns1/root.db ns2/example.db ns3/secure.example.db
rm
-f
ns3/unsecure.example.db ns3/bogus.example.db ns3/keyless.example.db
rm
-f
ns3/dynamic.example.db ns3/dynamic.example.db.signed.jnl
rm
-f
ns3/rsasha256.example.db ns3/rsasha512.example.db
rm
-f
ns3/split-dnssec.example.db
rm
-f
ns2/private.secure.example.db
rm
-f
ns2/badparam.db ns2/badparam.db.bad
rm
-f
ns2/single-nsec3.db
...
...
@@ -55,3 +56,4 @@ rm -f signer/example.db.after signer/example.db.before
rm
-f
signer/example.db.changed
rm
-f
ns3/ttlpatch.example.db ns3/ttlpatch.example.db.signed
rm
-f
ns3/ttlpatch.example.db.patched
rm
-f
ns3/split-smart.example.db
bin/tests/system/dnssec/ns2/example.db.in
View file @
eff7f78b
...
...
@@ -13,7 +13,7 @@
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: example.db.in,v 1.
29
2011/0
2/28 14:21:35 fdupont
Exp $
; $Id: example.db.in,v 1.
30
2011/0
3/05 06:35:41 marka
Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
...
...
@@ -128,3 +128,9 @@ ns.secure.below-cname A 10.53.0.3
ttlpatch NS ns.ttlpatch
ns.ttlpatch A 10.53.0.3
split-dnssec NS ns.split-dnssec
ns.split-dnssec A 10.53.0.3
split-smart NS ns.split-smart
ns.split-smart A 10.53.0.3
bin/tests/system/dnssec/ns2/sign.sh
View file @
eff7f78b
...
...
@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: sign.sh,v 1.4
6
2011/0
2/28 14:21:35 fdupont
Exp $
# $Id: sign.sh,v 1.4
7
2011/0
3/05 06:35:41 marka
Exp $
SYSTEMTESTTOP
=
../..
.
$SYSTEMTESTTOP
/conf.sh
...
...
@@ -32,7 +32,8 @@ zonefile=example.db
for
subdomain
in
secure bogus dynamic keyless nsec3 optout nsec3-unknown
\
optout-unknown multiple rsasha256 rsasha512 kskonly update-nsec3
\
auto-nsec auto-nsec3 secure.below-cname ttlpatch
auto-nsec auto-nsec3 secure.below-cname ttlpatch split-dnssec
\
split-smart
do
cp
../ns3/dsset-
$subdomain
.example.
.
done
...
...
bin/tests/system/dnssec/ns3/named.conf
View file @
eff7f78b
...
...
@@ -15,7 +15,7 @@
*
PERFORMANCE
OF
THIS
SOFTWARE
.
*/
/* $
Id
:
named
.
conf
,
v
1
.
4
4
2011
/
0
2
/
28
14
:
21
:
35
fdupont
Exp
$ */
/* $
Id
:
named
.
conf
,
v
1
.
4
5
2011
/
0
3
/
05
06
:
35
:
41
marka
Exp
$ */
//
NS3
...
...
@@ -207,4 +207,14 @@ zone "ttlpatch.example" {
file
"ttlpatch.example.db.patched"
;
};
zone
"split-dnssec.example"
{
type
master
;
file
"split-dnssec.example.db"
;
};
zone
"split-smart.example"
{
type
master
;
file
"split-smart.example.db"
;
};
include
"trusted.conf"
;
bin/tests/system/dnssec/ns3/sign.sh
View file @
eff7f78b
...
...
@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: sign.sh,v 1.3
8
2011/0
2/28 14:21:35 fdupont
Exp $
# $Id: sign.sh,v 1.3
9
2011/0
3/05 06:35:41 marka
Exp $
SYSTEMTESTTOP
=
../..
.
$SYSTEMTESTTOP
/conf.sh
...
...
@@ -340,3 +340,32 @@ cat $infile $keyname.key >$zonefile
$SIGNER
-P
-r
$RANDFILE
-f
$signedfile
-o
$zone
$zonefile
>
/dev/null 2>&1
sed
's/300/3600/'
$signedfile
>
$patchedfile
#
# Seperate DNSSEC records.
#
zone
=
split-dnssec.example.
infile
=
split-dnssec.example.db.in
zonefile
=
split-dnssec.example.db
signedfile
=
split-dnssec.example.db.signed
keyname
=
`
$KEYGEN
-q
-r
$RANDFILE
-a
RSASHA1
-b
768
-n
zone
$zone
`
cat
$infile
$keyname
.key
>
$zonefile
echo
'$INCLUDE "'
"
$signedfile
"
'"'
>>
$zonefile
:
>
$signedfile
$SIGNER
-P
-r
$RANDFILE
-D
-o
$zone
$zonefile
>
/dev/null 2>&1
#
# Seperate DNSSEC records smart signing.
#
zone
=
split-smart.example.
infile
=
split-smart.example.db.in
zonefile
=
split-smart.example.db
signedfile
=
split-smart.example.db.signed
keyname
=
`
$KEYGEN
-q
-r
$RANDFILE
-a
RSASHA1
-b
768
-n
zone
$zone
`
cp
$infile
$zonefile
echo
'$INCLUDE "'
"
$signedfile
"
'"'
>>
$zonefile
:
>
$signedfile
$SIGNER
-P
-S
-r
$RANDFILE
-D
-o
$zone
$zonefile
>
/dev/null 2>&1
bin/tests/system/dnssec/ns3/split-dnssec.example.db.in
0 → 100644
View file @
eff7f78b
; Copyright (C) 2006, 2008 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: split-dnssec.example.db.in,v 1.2 2011/03/05 06:35:41 marka Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a A 10.0.0.3
*.wild A 10.0.0.6
child NS ns2.example.
insecure NS ns.insecure
ns.insecure A 10.53.0.3
secure NS ns.secure
ns.secure A 10.53.0.3
nsec3 NS ns.nsec3
ns.nsec3 A 10.53.0.3
optout NS ns.optout
ns.optout A 10.53.0.3
02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17
bin/tests/system/dnssec/ns3/split-smart.example.db.in
0 → 100644
View file @
eff7f78b
; Copyright (C) 2006, 2008 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: split-smart.example.db.in,v 1.2 2011/03/05 06:35:41 marka Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a A 10.0.0.3
*.wild A 10.0.0.6
child NS ns2.example.
insecure NS ns.insecure
ns.insecure A 10.53.0.3
secure NS ns.secure
ns.secure A 10.53.0.3
nsec3 NS ns.nsec3
ns.nsec3 A 10.53.0.3
optout NS ns.optout
ns.optout A 10.53.0.3
02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17
bin/tests/system/dnssec/tests.sh
View file @
eff7f78b
...
...
@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.8
0
2011/03/0
1 14:40:39 smann
Exp $
# $Id: tests.sh,v 1.8
1
2011/03/0
5 06:35:40 marka
Exp $
SYSTEMTESTTOP
=
..
.
$SYSTEMTESTTOP
/conf.sh
...
...
@@ -1224,5 +1224,25 @@ n=`expr $n + 1`
if
[
$ret
!=
0
]
;
then
echo
"I:failed"
;
fi
status
=
`
expr
$status
+
$ret
`
echo
"I:check that a split dnssec dnssec-signzone work (
$n
)"
ret
=
0
$DIG
$DIGOPTS
soa split-dnssec.example. @10.53.0.4
>
dig.out.ns4.test
$n
||
ret
=
1
grep
"NOERROR"
dig.out.ns4.test
$n
>
/dev/null
||
ret
=
1
grep
"ANSWER: 2,"
dig.out.ns4.test
$n
>
/dev/null
||
ret
=
1
grep
"flags:.* ad[ ;]"
dig.out.ns4.test
$n
>
/dev/null
||
ret
=
1
n
=
`
expr
$n
+ 1
`
if
[
$ret
!=
0
]
;
then
echo
"I:failed"
;
fi
status
=
`
expr
$status
+
$ret
`
echo
"I:check that a smart split dnssec dnssec-signzone work (
$n
)"
ret
=
0
$DIG
$DIGOPTS
soa split-smart.example. @10.53.0.4
>
dig.out.ns4.test
$n
||
ret
=
1
grep
"NOERROR"
dig.out.ns4.test
$n
>
/dev/null
||
ret
=
1
grep
"ANSWER: 2,"
dig.out.ns4.test
$n
>
/dev/null
||
ret
=
1
grep
"flags:.* ad[ ;]"
dig.out.ns4.test
$n
>
/dev/null
||
ret
=
1
n
=
`
expr
$n
+ 1
`
if
[
$ret
!=
0
]
;
then
echo
"I:failed"
;
fi
status
=
`
expr
$status
+
$ret
`
echo
"I:exit status:
$status
"
exit
$status
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment