1. 16 Feb, 2021 1 commit
    • Ondřej Surý's avatar
      Stop including gssapi.h from dst/gssapi.h header · a5d2ce79
      Ondřej Surý authored
      The only reason for including the gssapi.h from the dst/gssapi.h header
      was to get the typedefs of gss_cred_id_t and gss_ctx_id_t.  Instead of
      using those types directly this commit introduces dns_gss_cred_id_t and
      dns_gss_ctx_id_t types that are being used in the public API and
      privately retyped to their counterparts when we actually call the gss
      api.
      
      This also conceals the gssapi headers, so users of the libdns library
      doesn't have to add GSSAPI_CFLAGS to the Makefile when including libdns
      dst API.
      a5d2ce79
  2. 23 Dec, 2020 1 commit
  3. 14 Sep, 2020 1 commit
  4. 07 Aug, 2020 1 commit
    • Matthijs Mekking's avatar
      Implement 'rndc dnssec -checkds' · 04d8fc01
      Matthijs Mekking authored
      Add a new 'rndc' command 'dnssec -checkds' that allows the user to
      signal named that a new DS record has been seen published in the
      parent, or that an existing DS record has been withdrawn from the
      parent.
      
      Upon the 'checkds' request, 'named' will write out the new state for
      the key, updating the 'DSPublish' or 'DSRemoved' timing metadata.
      
      This replaces the "parent-registration-delay" configuration option,
      this was unreliable because it was purely time based (if the user
      did not actually submit the new DS to the parent for example, this
      could result in an invalid DNSSEC state).
      
      Because we cannot rely on the parent registration delay for state
      transition, we need to replace it with a different guard. Instead,
      if a key wants its DS state to be moved to RUMOURED, the "DSPublish"
      time must be set and must not be in the future. If a key wants its
      DS state to be moved to UNRETENTIVE, the "DSRemoved" time must be set
      and must not be in the future.
      
      By default, with '-checkds' you set the time that the DS has been
      published or withdrawn to now, but you can set a different time with
      '-when'. If there is only one KSK for the zone, that key has its
      DS state moved to RUMOURED. If there are multiple keys for the zone,
      specify the right key with '-key'.
      04d8fc01
  5. 21 Feb, 2020 1 commit
  6. 13 Feb, 2020 2 commits
    • Evan Hunt's avatar
      apply the modified style · e851ed0b
      Evan Hunt authored
      e851ed0b
    • Ondřej Surý's avatar
      Use clang-tidy to add curly braces around one-line statements · 056e133c
      Ondřej Surý authored
      The command used to reformat the files in this commit was:
      
      ./util/run-clang-tidy \
      	-clang-tidy-binary clang-tidy-11
      	-clang-apply-replacements-binary clang-apply-replacements-11 \
      	-checks=-*,readability-braces-around-statements \
      	-j 9 \
      	-fix \
      	-format \
      	-style=file \
      	-quiet
      clang-format -i --style=format $(git ls-files '*.c' '*.h')
      uncrustify -c .uncrustify.cfg --replace --no-backup $(git ls-files '*.c' '*.h')
      clang-format -i --style=format $(git ls-files '*.c' '*.h')
      056e133c
  7. 12 Feb, 2020 1 commit
  8. 06 Feb, 2020 1 commit
    • Matthijs Mekking's avatar
      Fix kasp bug new KSK on restart [#1593] · b378d037
      Matthijs Mekking authored
      When you do a restart or reconfig of named, or rndc loadkeys, this
      triggers the key manager to run.  The key manager will check if new
      keys need to be created. If there is an active key, and key rollover
      is scheduled far enough away, no new key needs to be created.
      
      However, there was a bug that when you just start to sign your zone,
      it takes a while before the KSK becomes an active key. An active KSK
      has its DS submitted or published, but before the key manager allows
      that, the DNSKEY needs to be omnipresent. If you restart named
      or rndc loadkeys in quick succession when you just started to sign
      your zone, new keys will be created because the KSK is not yet
      considered active.
      
      Fix is to check for introducing as well as active keys. These keys
      all have in common that their goal is to become omnipresent.
      b378d037
  9. 06 Nov, 2019 7 commits
    • Matthijs Mekking's avatar
      Add dst_key_copy_metadata function. · 1211c348
      Matthijs Mekking authored
      When updating DNSSEC keys we would like to be able to copy the
      metadata from one key to another.
      1211c348
    • Matthijs Mekking's avatar
      Code changes for CSK · 67033bfd
      Matthijs Mekking authored
      Update dns_dnssec_keyactive to differentiate between the roles ZSK
      and KSK.  A key is active if it is signing but that differs per role.
      A ZSK is signing if its ZRRSIG state is in RUMOURED or OMNIPRESENT,
      a KSK is signing if its KRRSIG state is in RUMOURED or OMNIPRESENT.
      
      This means that a key can be actively signing for one role but not
      the other.  Add checks in inline signing (zone.c and update.c) to
      cover the case where a CSK is active in its KSK role but not the ZSK
      role.
      67033bfd
    • Matthijs Mekking's avatar
      Useful dst_key functions · 314b90df
      Matthijs Mekking authored
      Add a couple of dst_key functions for determining hints that
      consider key states if they are available.
      - dst_key_is_unused:
        A key has no timing metadata set other than Created.
      - dst_key_is_published:
        A key has publish timing metadata <= now, DNSKEY state in
        RUMOURED or OMNIPRESENT.
      - dst_key_is_active:
        A key has active timing metadata <= now, RRSIG state in
        RUMOURED or OMNIPRESENT.
      - dst_key_is_signing:
        KSK is_signing and is_active means different things than
        for a ZSK. A ZSK is active means it is also signing, but
        a KSK always signs its DNSKEY RRset but is considered
        active if its DS is present (rumoured or omnipresent).
      - dst_key_is_revoked:
        A key has revoke timing metadata <= now.
      - dst_key_is_removed:
        A key has delete timing metadata <= now, DNSKEY state in
        UNRETENTIVE or HIDDEN.
      314b90df
    • Matthijs Mekking's avatar
      dnssec-settime: Allow manipulating state files · 72042a06
      Matthijs Mekking authored
      Introduce a new option '-s' for dnssec-settime that when manipulating
      timing metadata, it also updates the key state file.
      
      For testing purposes, add options to dnssec-settime to set key
      states and when they last changed.
      
      The dst code adds ways to write and read the new key states and
      timing metadata. It updates the parsing code for private key files
      to not parse the newly introduced metadata (these are for state
      files only).
      
      Introduce key goal (the state the key wants to be in).
      72042a06
    • Matthijs Mekking's avatar
      Add functionality to read key state from disk · c55625b0
      Matthijs Mekking authored
      When reading a key from file, you can set the DST_TYPE_STATE option
      to also read the key state.
      
      This expects the Algorithm and Length fields go above the metadata,
      so update the write functionality to do so accordingly.
      
      Introduce new DST metadata types for KSK, ZSK, Lifetime and the
      timing metadata used in state files.
      c55625b0
    • Matthijs Mekking's avatar
      Update dst key code to maintain key state · 77d2895a
      Matthijs Mekking authored
      Add a number of metadata variables (lifetime, ksk and zsk role).
      
      For the roles we add a new type of metadata (booleans).
      
      Add a function to write the state of the key to a separate file.
      
      Only write out known metadata to private file.  With the
      introduction of the numeric metadata "Lifetime", adjust the write
      private key file functionality to only write out metadata it knows
      about.
      77d2895a
    • Matthijs Mekking's avatar
      7f4d1dbd
  10. 21 Feb, 2019 1 commit
  11. 11 Dec, 2018 1 commit
  12. 08 Aug, 2018 2 commits
  13. 16 May, 2018 1 commit
    • Ondřej Surý's avatar
      Replace all random functions with isc_random, isc_random_buf and isc_random_uniform API. · 3a4f820d
      Ondřej Surý authored
      The three functions has been modeled after the arc4random family of
      functions, and they will always return random bytes.
      
      The isc_random family of functions internally use these CSPRNG (if available):
      
      1. getrandom() libc call (might be available on Linux and Solaris)
      2. SYS_getrandom syscall (might be available on Linux, detected at runtime)
      3. arc4random(), arc4random_buf() and arc4random_uniform() (available on BSDs and Mac OS X)
      4. crypto library function:
      4a. RAND_bytes in case OpenSSL
      4b. pkcs_C_GenerateRandom() in case PKCS#11 library
      3a4f820d
  14. 03 May, 2018 1 commit
  15. 06 Apr, 2018 1 commit
  16. 23 Feb, 2018 1 commit
  17. 28 Sep, 2017 1 commit
    • Evan Hunt's avatar
      [master] completed and corrected the crypto-random change · 24172bd2
      Evan Hunt authored
      4724.	[func]		By default, BIND now uses the random number
      			functions provided by the crypto library (i.e.,
      			OpenSSL or a PKCS#11 provider) as a source of
      			randomness rather than /dev/random.  This is
      			suitable for virtual machine environments
      			which have limited entropy pools and lack
      			hardware random number generators.
      
      			This can be overridden by specifying another
      			entropy source via the "random-device" option
      			in named.conf, or via the -r command line option;
      			however, for functions requiring full cryptographic
      			strength, such as DNSSEC key generation, this
      			cannot be overridden. In particular, the -r
      			command line option no longer has any effect on
      			dnssec-keygen.
      
      			This can be disabled by building with
      			"configure --disable-crypto-rand".
      			[RT #31459] [RT #46047]
      24172bd2
  18. 13 Sep, 2017 1 commit
  19. 01 Aug, 2017 1 commit
  20. 31 Jul, 2017 1 commit
  21. 30 Dec, 2016 1 commit
  22. 27 Jun, 2016 1 commit
  23. 05 Nov, 2015 1 commit
  24. 07 Aug, 2015 2 commits
  25. 10 Jun, 2014 1 commit
    • Mukund Sivaraman's avatar
      [24702] Include key filename in logged message · aa232396
      Mukund Sivaraman authored
      Squashed commit of the following:
      
      commit 593e6bc7e29938ff5c2f7508bde303fb069a97a9
      Author: Mukund Sivaraman <muks@isc.org>
      Date:   Tue Jun 10 19:17:40 2014 +0530
      
          Increase size of filename buffers
      
      commit b8685678e026ba98b8833e26664193b6345eb00e
      Author: Evan Hunt <each@isc.org>
      Date:   Wed Jun 4 18:57:44 2014 -0700
      
          [rt24702] some tweaks during review
      
      commit adfbc8f808716c63e9e097d92beef104527e5c6f
      Author: Mukund Sivaraman <muks@isc.org>
      Date:   Wed Jun 4 18:18:35 2014 +0530
      
          [24702] Include key filename in logged message
      
      commit f1eff77e7e3704b145c3d65101a735467dd81dc3
      Author: Mukund Sivaraman <muks@isc.org>
      Date:   Wed Jun 4 18:12:43 2014 +0530
      
          Add dst_key_getfilename()
      aa232396
  26. 16 Jan, 2014 1 commit
  27. 14 Jan, 2014 1 commit
    • Evan Hunt's avatar
      [master] native PKCS#11 support · ba751492
      Evan Hunt authored
      3705.	[func]		"configure --enable-native-pkcs11" enables BIND
      			to use the PKCS#11 API for all cryptographic
      			functions, so that it can drive a hardware service
      			module directly without the need to use a modified
      			OpenSSL as intermediary (so long as the HSM's vendor
      			provides a complete-enough implementation of the
      			PKCS#11 interface). This has been tested successfully
      			with the Thales nShield HSM and with SoftHSMv2 from
      			the OpenDNSSEC project. [RT #29031]
      ba751492
  28. 04 Sep, 2013 1 commit
  29. 15 Aug, 2013 2 commits
  30. 24 Oct, 2012 1 commit