Commit eff7f78b authored by Mark Andrews's avatar Mark Andrews

3061. [func] New option "dnssec-signzone -D", only write out

                        generated DNSSEC records. [RT #22896]
parent 3c618c6e
3061. [func] New option "dnssec-signzone -D", only write out
generated DNSSEC records. [RT #22896]
3060. [func] New option "dnssec-signzone -X <date>" allows
specification of a separate expiration date
for DNSKEY RRSIGs and other RRSIGs. [RT #22141]
......
......@@ -29,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-signzone.c,v 1.266 2011/03/04 23:47:47 tbox Exp $ */
/* $Id: dnssec-signzone.c,v 1.267 2011/03/05 06:35:40 marka Exp $ */
/*! \file */
......@@ -171,6 +171,8 @@ static isc_boolean_t disable_zone_check = ISC_FALSE;
static isc_boolean_t update_chain = ISC_FALSE;
static isc_boolean_t set_keyttl = ISC_FALSE;
static dns_ttl_t keyttl;
static isc_boolean_t smartsign = ISC_FALSE;
static isc_boolean_t output_dnssec_only = ISC_FALSE;
#define INCSTAT(counter) \
if (printstats) { \
......@@ -188,13 +190,69 @@ sign(isc_task_t *task, isc_event_t *event);
static void
dumpnode(dns_name_t *name, dns_dbnode_t *node) {
dns_rdataset_t rds;
dns_rdatasetiter_t *iter = NULL;
isc_buffer_t *buffer = NULL;
isc_region_t r;
isc_result_t result;
unsigned bufsize = 4096;
if (outputformat != dns_masterformat_text)
return;
result = dns_master_dumpnodetostream(mctx, gdb, gversion, node, name,
masterstyle, fp);
check_result(result, "dns_master_dumpnodetostream");
if (!output_dnssec_only) {
result = dns_master_dumpnodetostream(mctx, gdb, gversion, node,
name, masterstyle, fp);
check_result(result, "dns_master_dumpnodetostream");
return;
}
result = dns_db_allrdatasets(gdb, node, gversion, 0, &iter);
check_result(result, "dns_db_allrdatasets");
dns_rdataset_init(&rds);
result = isc_buffer_allocate(mctx, &buffer, bufsize);
check_result(result, "isc_buffer_allocate");
for (result = dns_rdatasetiter_first(iter);
result == ISC_R_SUCCESS;
result = dns_rdatasetiter_next(iter)) {
dns_rdatasetiter_current(iter, &rds);
if (rds.type != dns_rdatatype_rrsig &&
rds.type != dns_rdatatype_nsec &&
rds.type != dns_rdatatype_nsec3 &&
rds.type != dns_rdatatype_nsec3param &&
(!smartsign || rds.type != dns_rdatatype_dnskey)) {
dns_rdataset_disassociate(&rds);
continue;
}
while (ISC_TRUE) {
result = dns_master_rdatasettotext(name, &rds,
masterstyle, buffer);
if (result != ISC_R_NOSPACE)
break;
bufsize <<= 1;
isc_buffer_free(&buffer);
result = isc_buffer_allocate(mctx, &buffer, bufsize);
check_result(result, "isc_buffer_allocate");
}
check_result(result, "dns_master_rdatasettotext");
isc_buffer_usedregion(buffer, &r);
result = isc_stdio_write(r.base, 1, r.length, fp, NULL);
check_result(result, "isc_stdio_write");
isc_buffer_clear(buffer);
dns_rdataset_disassociate(&rds);
}
isc_buffer_free(&buffer);
dns_rdatasetiter_destroy(&iter);
}
/*%
......@@ -3297,6 +3355,8 @@ usage(void) {
fprintf(stderr, "\t\tfile format of signed zone file (text)\n");
fprintf(stderr, "\t-N format:\n");
fprintf(stderr, "\t\tsoa serial format of signed zone file (keep)\n");
fprintf(stderr, "\t-D:\n");
fprintf(stderr, "\t\toutput only DNSSEC-related records\n");
fprintf(stderr, "\t-r randomdev:\n");
fprintf(stderr, "\t\ta file containing random data\n");
fprintf(stderr, "\t-a:\t");
......@@ -3397,7 +3457,6 @@ main(int argc, char *argv[]) {
isc_buffer_t b;
int len;
hashlist_t hashlist;
isc_boolean_t smartsign = ISC_FALSE;
isc_boolean_t make_keyset = ISC_FALSE;
isc_boolean_t set_salt = ISC_FALSE;
isc_boolean_t set_optout = ISC_FALSE;
......@@ -3490,6 +3549,10 @@ main(int argc, char *argv[]) {
dsdir, isc_result_totext(result));
break;
case 'D':
output_dnssec_only = ISC_TRUE;
break;
case 'E':
engine = isc_commandline_argument;
break;
......@@ -3759,6 +3822,12 @@ main(int argc, char *argv[]) {
serialformatstr);
}
if (output_dnssec_only && outputformat != dns_masterformat_text)
fatal("option -D can only be used with \"-O text\"\n");
if (output_dnssec_only && serialformat != SOA_SERIAL_KEEP)
fatal("option -D can only be used with \"-N keep\"\n");
result = dns_master_stylecreate(&dsstyle, DNS_STYLEFLAG_NO_TTL,
0, 24, 0, 0, 0, 8, mctx);
check_result(result, "dns_master_stylecreate");
......
......@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-signzone.docbook,v 1.45 2011/03/04 22:20:20 each Exp $ -->
<!-- $Id: dnssec-signzone.docbook,v 1.46 2011/03/05 06:35:40 marka Exp $ -->
<refentry id="man.dnssec-signzone">
<refentryinfo>
<date>June 05, 2009</date>
......@@ -60,6 +60,7 @@
<arg><option>-a</option></arg>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-D</option></arg>
<arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
<arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
......@@ -152,6 +153,22 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-D</term>
<listitem>
<para>
Output only those record types automatically managed by
<command>dnssec-signzone</command>, i.e. RRSIG, NSEC,
NSEC3 and NSEC3PARAM records. If smart signing
(<option>-S</option>) is used, DNSKEY records are also
included. The resulting file can be included in the original
zone file with <command>$INCLUDE</command>. This option
cannot be combined with <option>-O raw</option> or serial
number updating.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem>
......
......@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: clean.sh,v 1.38 2011/03/04 14:07:03 smann Exp $
# $Id: clean.sh,v 1.39 2011/03/05 06:35:40 marka Exp $
exit
......@@ -25,6 +25,7 @@ rm -f ns1/root.db ns2/example.db ns3/secure.example.db
rm -f ns3/unsecure.example.db ns3/bogus.example.db ns3/keyless.example.db
rm -f ns3/dynamic.example.db ns3/dynamic.example.db.signed.jnl
rm -f ns3/rsasha256.example.db ns3/rsasha512.example.db
rm -f ns3/split-dnssec.example.db
rm -f ns2/private.secure.example.db
rm -f ns2/badparam.db ns2/badparam.db.bad
rm -f ns2/single-nsec3.db
......@@ -55,3 +56,4 @@ rm -f signer/example.db.after signer/example.db.before
rm -f signer/example.db.changed
rm -f ns3/ttlpatch.example.db ns3/ttlpatch.example.db.signed
rm -f ns3/ttlpatch.example.db.patched
rm -f ns3/split-smart.example.db
......@@ -13,7 +13,7 @@
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: example.db.in,v 1.29 2011/02/28 14:21:35 fdupont Exp $
; $Id: example.db.in,v 1.30 2011/03/05 06:35:41 marka Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
......@@ -128,3 +128,9 @@ ns.secure.below-cname A 10.53.0.3
ttlpatch NS ns.ttlpatch
ns.ttlpatch A 10.53.0.3
split-dnssec NS ns.split-dnssec
ns.split-dnssec A 10.53.0.3
split-smart NS ns.split-smart
ns.split-smart A 10.53.0.3
......@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: sign.sh,v 1.46 2011/02/28 14:21:35 fdupont Exp $
# $Id: sign.sh,v 1.47 2011/03/05 06:35:41 marka Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
......@@ -32,7 +32,8 @@ zonefile=example.db
for subdomain in secure bogus dynamic keyless nsec3 optout nsec3-unknown \
optout-unknown multiple rsasha256 rsasha512 kskonly update-nsec3 \
auto-nsec auto-nsec3 secure.below-cname ttlpatch
auto-nsec auto-nsec3 secure.below-cname ttlpatch split-dnssec \
split-smart
do
cp ../ns3/dsset-$subdomain.example. .
done
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.44 2011/02/28 14:21:35 fdupont Exp $ */
/* $Id: named.conf,v 1.45 2011/03/05 06:35:41 marka Exp $ */
// NS3
......@@ -207,4 +207,14 @@ zone "ttlpatch.example" {
file "ttlpatch.example.db.patched";
};
zone "split-dnssec.example" {
type master;
file "split-dnssec.example.db";
};
zone "split-smart.example" {
type master;
file "split-smart.example.db";
};
include "trusted.conf";
......@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: sign.sh,v 1.38 2011/02/28 14:21:35 fdupont Exp $
# $Id: sign.sh,v 1.39 2011/03/05 06:35:41 marka Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
......@@ -340,3 +340,32 @@ cat $infile $keyname.key >$zonefile
$SIGNER -P -r $RANDFILE -f $signedfile -o $zone $zonefile > /dev/null 2>&1
sed 's/300/3600/' $signedfile > $patchedfile
#
# Seperate DNSSEC records.
#
zone=split-dnssec.example.
infile=split-dnssec.example.db.in
zonefile=split-dnssec.example.db
signedfile=split-dnssec.example.db.signed
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
cat $infile $keyname.key >$zonefile
echo '$INCLUDE "'"$signedfile"'"' >> $zonefile
: > $signedfile
$SIGNER -P -r $RANDFILE -D -o $zone $zonefile > /dev/null 2>&1
#
# Seperate DNSSEC records smart signing.
#
zone=split-smart.example.
infile=split-smart.example.db.in
zonefile=split-smart.example.db
signedfile=split-smart.example.db.signed
keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
cp $infile $zonefile
echo '$INCLUDE "'"$signedfile"'"' >> $zonefile
: > $signedfile
$SIGNER -P -S -r $RANDFILE -D -o $zone $zonefile > /dev/null 2>&1
; Copyright (C) 2006, 2008 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: split-dnssec.example.db.in,v 1.2 2011/03/05 06:35:41 marka Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a A 10.0.0.3
*.wild A 10.0.0.6
child NS ns2.example.
insecure NS ns.insecure
ns.insecure A 10.53.0.3
secure NS ns.secure
ns.secure A 10.53.0.3
nsec3 NS ns.nsec3
ns.nsec3 A 10.53.0.3
optout NS ns.optout
ns.optout A 10.53.0.3
02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17
; Copyright (C) 2006, 2008 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: split-smart.example.db.in,v 1.2 2011/03/05 06:35:41 marka Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a A 10.0.0.3
*.wild A 10.0.0.6
child NS ns2.example.
insecure NS ns.insecure
ns.insecure A 10.53.0.3
secure NS ns.secure
ns.secure A 10.53.0.3
nsec3 NS ns.nsec3
ns.nsec3 A 10.53.0.3
optout NS ns.optout
ns.optout A 10.53.0.3
02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17
......@@ -15,7 +15,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.80 2011/03/01 14:40:39 smann Exp $
# $Id: tests.sh,v 1.81 2011/03/05 06:35:40 marka Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
......@@ -1224,5 +1224,25 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:check that a split dnssec dnssec-signzone work ($n)"
ret=0
$DIG $DIGOPTS soa split-dnssec.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1
grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1
grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:check that a smart split dnssec dnssec-signzone work ($n)"
ret=0
$DIG $DIGOPTS soa split-smart.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1
grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
grep "ANSWER: 2," dig.out.ns4.test$n > /dev/null || ret=1
grep "flags:.* ad[ ;]" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:exit status: $status"
exit $status
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment