GitLab

The command used to reformat the files in this commit was:

./util/run-clang-tidy \
	-clang-tidy-binary clang-tidy-11
	-clang-apply-replacements-binary clang-apply-replacements-11 \
	-checks=-*,readability-braces-around-statements \
	-j 9 \
	-fix \
	-format \
	-style=file \
	-quiet
clang-format -i --style=format $(git ls-files '*.c' '*.h')
uncrustify -c .uncrustify.cfg --replace --no-backup $(git ls-files '*.c' '*.h')
clang-format -i --style=format $(git ls-files '*.c' '*.h')

Move PATH_MAX, NAME_MAX, IOV_MAX default definitions to the common
<isc/platform.h>.

Introduce a new option '-s' for dnssec-settime that when manipulating
timing metadata, it also updates the key state file.

For testing purposes, add options to dnssec-settime to set key
states and when they last changed.

The dst code adds ways to write and read the new key states and
timing metadata. It updates the parsing code for private key files
to not parse the newly introduced metadata (these are for state
files only).

Introduce key goal (the state the key wants to be in).

With the move of the normal output to stdout, we need a way how to silence the
extra output, so the signed file name can be captured in a simple way.  This
commit adds `-q` command line option that will silence all the normal output
that get's printed from both tools.

This makes the `-12a` options to `dnssec-dsfromkey` work more like
`dnssec-cds`, in that you can specify more than one digest and you
will get multiple records. (Previously you could only get one
non-default digest type at a time.)

The default is now `-2`. You can get the old behaviour with `-12`.

Tests and tools that use `dnssec-dsfromkey` have been updated to use
`-12` where necessary.

This is for conformance with the DS/CDS algorithm requirements in
https://tools.ietf.org/html/draft-ietf-dnsop-algorithm-update

This commit only moves code around, with the following exceptions:

  - the check_dns_dbiterator_current() macro and functions
    is_delegation() and has_dname() were removed from
    bin/dnssec/dnssectool.{c,h} and duplicated in two locations:
    bin/dnssec/dnssec-signzone.c and lib/dns/zoneverify.c; these
    functions are used both by the code in bin/dnssec/dnssec-signzone.c
    and verifyzone(), but are not a good fit for being exported by a
    code module responsible for zone verification,

  - fatal() and check_result() were duplicated in lib/dns/zoneverify.c
    as static functions which do not use the "program" variable any more
    (as it is only set by the tools in bin/dnssec/); this is a temporary
    step which only aims to prevent compilation from breaking - these
    duplicate functions will be removed once lib/dns/zoneverify.c is
    refactored not to use them,

  - the list of header files included by lib/dns/zoneverify.c was
    expanded to encompass all header files that are actually used by the
    code in that file,

  - a description of the purpose of the commented out "fields" inside
    struct nsec3_chain_fixed was added.

Rather than use custom functions and macros local to bin/dnssec/, use
their counterparts provided by libdns.

DNAME records indicate bottom of zone and thus no records below a DNAME
should be DNSSEC-signed or included in NSEC(3) chains.  Add a helper
function, has_dname(), for detecting DNAME records at a given node.
Prevent signing DNAME-obscured records.  Check that DNAME-obscured
records are not signed.

The three functions has been modeled after the arc4random family of
functions, and they will always return random bytes.

The isc_random family of functions internally use these CSPRNG (if available):

1. getrandom() libc call (might be available on Linux and Solaris)
2. SYS_getrandom syscall (might be available on Linux, detected at runtime)
3. arc4random(), arc4random_buf() and arc4random_uniform() (available on BSDs and Mac OS X)
4. crypto library function:
4a. RAND_bytes in case OpenSSL
4b. pkcs_C_GenerateRandom() in case PKCS#11 library

4757.   [func]          New "dnssec-cds" command creates a new parent DS
                        RRset based on CDS or CDNSKEY RRsets found in
                        a child zone, and generates either a dsset file
                        or stream of nsupdate commands to update the
                        parent. Thanks to Tony Finch. [RT #46090]

4673.	[port]		Silence GCC 7 warnings. [RT #45592]

                        CDNSKEY rrsets to named and dnssec-signzone.
                        [RT #40424]

4039.	[cleanup]	Cleaned up warnings from gcc -Wshadow. [RT #37381]

Squashed commit of the following:

commit 95effe9b2582a7eb878ccb8cb9ef51dfc5bbfde7
Author: Evan Hunt <each@isc.org>
Date:   Tue Jun 10 16:52:45 2014 -0700

    [rt10686] move version() to dnssectool.c

commit df205b541d1572ea5306a5f671af8b54b9c5c770
Author: Mukund Sivaraman <muks@isc.org>
Date:   Tue Jun 10 21:38:31 2014 +0530

    Rearrange order of cases

commit cfd30893f2540bf9d607e1fd37545ea7b441e0d0
Author: Mukund Sivaraman <muks@isc.org>
Date:   Tue Jun 10 21:38:08 2014 +0530

    Add version printer to dnssec-verify

commit a625ea338c74ab5e21634033ef87f170ba37fdbe
Author: Mukund Sivaraman <muks@isc.org>
Date:   Tue Jun 10 21:32:19 2014 +0530

    Add version printer to dnssec-signzone

commit d91e1c0f0697b3304ffa46fccc66af65591040d9
Author: Mukund Sivaraman <muks@isc.org>
Date:   Tue Jun 10 21:26:01 2014 +0530

    Add version printer to dnssec-settime

commit 46fc8775da3e13725c31d13e090b406d69b8694f
Author: Mukund Sivaraman <muks@isc.org>
Date:   Tue Jun 10 21:25:48 2014 +0530

    Fix docbook

commit 8123d2efbd84cdfcbc70403aa9bb27b96921bab2
Author: Mukund Sivaraman <muks@isc.org>
Date:   Tue Jun 10 21:20:17 2014 +0530

    Add version printer to dnssec-revoke

commit d0916420317d3e8c69cf1b37d2209ea2d072b913
Author: Mukund Sivaraman <muks@isc.org>
Date:   Tue Jun 10 21:17:54 2014 +0530

    Add version printer to dnssec-keygen

commit 93b0bd5ebc043298dc7d8f446ea543cb40eaecf8
Author: Mukund Sivaraman <muks@isc.org>
Date:   Tue Jun 10 21:14:11 2014 +0530

    Add version printer to dnssec-keyfromlabel

commit 07001bcd9ae2d7b09dd9e243b0ab35307290d05d
Author: Mukund Sivaraman <muks@isc.org>
Date:   Tue Jun 10 21:13:39 2014 +0530

    Update usage help output, docbook

commit 85cdd702f41c96fbc767fc689d1ed97fe1f3a926
Author: Mukund Sivaraman <muks@isc.org>
Date:   Tue Jun 10 21:07:18 2014 +0530

    Add version printer to dnssec-importkey

commit 9274fc61e38205aad561edf445940b4e73d788dc
Author: Mukund Sivaraman <muks@isc.org>
Date:   Tue Jun 10 21:01:53 2014 +0530

    Add version printer to dnssec-dsfromkey

commit bf4605ea2d7282e751fd73489627cc8a99f45a90
Author: Mukund Sivaraman <muks@isc.org>
Date:   Tue Jun 10 20:49:22 2014 +0530

    Add -V to nsupdate usage output

3730.	[cleanup]	Added "never" as a synonym for "none" when
			configuring key event dates in the dnssec tools.
			[RT #35277]

3729.	[bug]		dnssec-kegeyn could set the publication date
			incorrectly when only the activation date was
			specified on the command line. [RT #35278]

                        to ensure correctness of signatures and of NSEC/NSEC3
                        chains. [RT #23673]

                        [RT #24711]

			creating key files if there is a chance that the new
			key ID will collide with an existing one after
			either of the keys has been revoked.  (To override
			this in the case of dnssec-keyfromlabel, use the -y
			option.  dnssec-keygen will simply create a
			different, noncolliding key, so an override is
			not necessary.) [RT #20838]

			will now ignore unrecognized fields when the
			minor version number of the private key format
			has been increased.  It will reject any key with
			the major version number increased. [RT #20310]

			dnssec-signzone now warn immediately if asked to
			write into a nonexistent directory. [RT #20278]

			to be fully automated in zones configured for
			dynamic DNS.  'auto-dnssec allow;' permits a zone
			to be signed by creating keys for it in the
			key-directory and using 'rndc sign <zone>'.
			'auto-dnssec maintain;' allows that too, plus it
			also keeps the zone's DNSSEC keys up to date
			according to their timing metadata. [RT #19943]

			- dnssec-keygen and dnssec-settime can now set key
			  metadata fields 0 (to unset a value, use "none")
			- dnssec-revoke sets the revocation date in
			  addition to the revoke bit
			- dnssec-settime can now print individual metadata
			  fields instead of always printing all of them,
			  and can print them in unix epoch time format for
			  use by scripts
			[RT #19942]