Commit 79ce3a9e authored by Evan Hunt's avatar Evan Hunt
Browse files

3128. [func] Inserting an NSEC3PARAM via dynamic update in an

			auto-dnssec zone that has not been signed yet
			will cause it to be signed with the specified NSEC3
			parameters when keys are activated.  The
			NSEC3PARAM record will not appear in the zone until
			it is signed, but the parameters will be stored.
			[RT #23684]
parent 5e3affc6
3128. [func] Inserting an NSEC3PARAM via dynamic update in an
auto-dnssec zone that has not been signed yet
will cause it to be signed with the specified NSEC3
parameters when keys are activated. The
NSEC3PARAM record will not appear in the zone until
it is signed, but the parameters will be stored.
[RT #23684]
3127. [bug] 'rndc thaw' will now remove a zone's journal file
if the zone serial number has been changed and
ixfr-from-differences is not in use. [RT #24687]
......
......@@ -29,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-signzone.c,v 1.276 2011/05/07 00:31:13 each Exp $ */
/* $Id: dnssec-signzone.c,v 1.277 2011/06/10 01:51:08 each Exp $ */
/*! \file */
......@@ -3852,10 +3852,15 @@ main(int argc, char *argv[]) {
hashlist_init(&hashlist, dns_db_nodecount(gdb) * 2,
hash_length);
result = dns_nsec_nseconly(gdb, gversion, &answer);
check_result(result, "dns_nsec_nseconly");
if (answer)
if (result == ISC_R_NOTFOUND)
fprintf(stderr, "%s: warning: NSEC3 generation "
"requested with no DNSKEY; ignoring\n",
program);
else if (result != ISC_R_SUCCESS)
check_result(result, "dns_nsec_nseconly");
else if (answer)
fatal("NSEC3 generation requested with "
"NSEC only DNSKEY");
"NSEC-only DNSKEY");
}
/*
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: update.c,v 1.192 2011/03/25 23:53:02 each Exp $ */
/* $Id: update.c,v 1.193 2011/06/10 01:51:08 each Exp $ */
#include <config.h>
......@@ -3068,8 +3068,19 @@ check_dnssec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
}
/* Check existing DB for NSEC-only DNSKEY */
if (!nseconly)
CHECK(dns_nsec_nseconly(db, ver, &nseconly));
if (!nseconly) {
result = dns_nsec_nseconly(db, ver, &nseconly);
/*
* An NSEC3PARAM update can proceed without a DNSKEY (it
* will trigger a delayed change), so we can ignore
* ISC_R_NOTFOUND here.
*/
if (result == ISC_R_NOTFOUND)
result = ISC_R_SUCCESS;
CHECK(result);
}
/* Check existing DB for NSEC3 */
if (!nsec3)
......@@ -3240,9 +3251,11 @@ add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
ttl_good = ISC_TRUE;
}
if (tuple->op == DNS_DIFFOP_ADD) {
isc_boolean_t nseconly = ISC_FALSE;
/*
* Look for any deletes which match this ADD ignoring
* OPTOUT. We don't need to explictly remove them as
* flags. We don't need to explictly remove them as
* they will be removed a side effect of processing
* the add.
*/
......@@ -3264,12 +3277,28 @@ add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
ISC_LIST_APPEND(diff->tuples, next, link);
next = ISC_LIST_HEAD(temp_diff.tuples);
}
/*
* See if we already have a CREATE request in progress.
* Create a private-type record to signal that
* we want a delayed NSEC3 chain add/delete
*/
dns_nsec3param_toprivate(&tuple->rdata, &rdata,
privatetype, buf, sizeof(buf));
buf[2] |= DNS_NSEC3FLAG_CREATE;
/*
* If the zone is not currently capable of
* supporting an NSEC3 chain, then we set the
* INITIAL flag to indicate that these parameters
* are to be used later.
*/
result = dns_nsec_nseconly(db, ver, &nseconly);
if (result == ISC_R_NOTFOUND || nseconly)
buf[2] |= DNS_NSEC3FLAG_INITIAL;
/*
* See if this CREATE request already exists.
*/
CHECK(rr_exists(db, ver, name, &rdata, &flag));
if (!flag) {
......@@ -4192,7 +4221,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
CHECK(add_nsec3param_records(client, zone, db, ver, &diff));
if (!has_dnskey) {
if (had_dnskey && !has_dnskey) {
/*
* We are transitioning from secure to insecure.
* Cause all NSEC3 chains to be deleted. When the
......
......@@ -14,12 +14,12 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: clean.sh,v 1.10 2011/03/25 23:53:02 each Exp $
# $Id: clean.sh,v 1.11 2011/06/10 01:51:09 each Exp $
rm -f */K* */dsset-* */*.signed */trusted.conf */tmp* */*.jnl */*.bk
rm -f active.key inact.key del.key unpub.key standby.key rev.key
rm -f nopriv.key vanishing.key del1.key del2.key
rm -f delayksk.key delayzsk.key
rm -f delayksk.key delayzsk.key autoksk.key autozsk.key
rm -f nsupdate.out
rm -f */core
rm -f */example.bk
......
......@@ -14,7 +14,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: keygen.sh,v 1.9 2011/05/26 23:47:27 tbox Exp $
# $Id: keygen.sh,v 1.10 2011/06/10 01:51:09 each Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
......@@ -24,7 +24,7 @@ RANDFILE=../random.data
# Have the child generate subdomain keys and pass DS sets to us.
( cd ../ns3 && sh keygen.sh )
for subdomain in secure nsec3 optout rsasha256 rsasha512 nsec3-to-nsec oldsigs
for subdomain in secure nsec3 autonsec3 optout rsasha256 rsasha512 nsec3-to-nsec oldsigs
do
cp ../ns3/dsset-$subdomain.example. .
done
......
; Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
;
; Permission to use, copy, modify, and/or distribute this software for any
; purpose with or without fee is hereby granted, provided that the above
; copyright notice and this permission notice appear in all copies.
;
; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: autonsec3.example.db.in,v 1.2 2011/06/10 01:51:09 each Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
d A 10.0.0.4
z A 10.0.0.26
a.a.a.a A 10.0.0.3
child NS ns2.example.
insecure NS ns.insecure
ns.insecure A 10.53.0.3
secure NS ns.secure
ns.secure A 10.53.0.3
nsec3 NS ns.nsec3
ns.nsec3 A 10.53.0.3
optout NS ns.optout
ns.optout A 10.53.0.3
02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17
......@@ -14,7 +14,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: keygen.sh,v 1.11 2011/03/25 23:53:02 each Exp $
# $Id: keygen.sh,v 1.12 2011/06/10 01:51:09 each Exp $
SYSTEMTESTTOP=../..
. $SYSTEMTESTTOP/conf.sh
......@@ -73,6 +73,19 @@ ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null
$DSFROMKEY $ksk.key > dsset-${zone}.
#
# An NSEC3 zone, with NSEC3 parameters set prior to signing
#
zone=autonsec3.example
zonefile="${zone}.db"
infile="${zonefile}.in"
cat $infile > $zonefile
ksk=`$KEYGEN -G -q -3 -r $RANDFILE -fk $zone`
echo $ksk > ../autoksk.key
zsk=`$KEYGEN -G -q -3 -r $RANDFILE $zone`
echo $zsk > ../autozsk.key
$DSFROMKEY $ksk.key > dsset-${zone}.
#
# OPTOUT/NSEC test zone
#
......@@ -168,7 +181,7 @@ $SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile $infile > /dev/null 2>&1
zone=nsec3-to-nsec.example
zonefile="${zone}.db"
infile="${zonefile}.in"
cp $infile $zonefile
#cp $infile $zonefile
ksk=`$KEYGEN -q -a RSASHA512 -b 2048 -r $RANDFILE -fk $zone`
$KEYGEN -q -a RSASHA512 -b 1024 -r $RANDFILE $zone > /dev/null
$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > /dev/null 2>&1
......@@ -248,3 +261,4 @@ ksk=`$KEYGEN -G -q -3 -r $RANDFILE -fk $zone`
echo $ksk > ../delayksk.key
zsk=`$KEYGEN -G -q -3 -r $RANDFILE $zone`
echo $zsk > ../delayzsk.key
......@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.11 2011/04/29 21:37:14 each Exp $ */
/* $Id: named.conf,v 1.12 2011/06/10 01:51:09 each Exp $ */
// NS3
......@@ -80,6 +80,13 @@ zone "nsec3.example" {
auto-dnssec maintain;
};
zone "autonsec3.example" {
type master;
file "autonsec3.example.db";
allow-update { any; };
auto-dnssec maintain;
};
zone "optout.nsec3.example" {
type master;
file "optout.nsec3.example.db";
......
......@@ -14,7 +14,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: tests.sh,v 1.30 2011/06/10 01:32:37 each Exp $
# $Id: tests.sh,v 1.31 2011/06/10 01:51:09 each Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
......@@ -96,9 +96,11 @@ status=`expr $status + $ret`
echo "I:checking NSEC->NSEC3 conversion prerequisites ($n)"
ret=0
# this command should result in an empty file:
$DIG $DIGOPTS +noall +answer nsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.test$n || ret=1
grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null && ret=1
# these commands should result in an empty file:
$DIG $DIGOPTS +noall +answer nsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.1.test$n || ret=1
grep "NSEC3PARAM" dig.out.ns3.1.test$n > /dev/null && ret=1
$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.2.test$n || ret=1
grep "NSEC3PARAM" dig.out.ns3.2.test$n > /dev/null && ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
......@@ -123,6 +125,9 @@ send
zone nsec3.example.
update add nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF
send
zone autonsec3.example.
update add autonsec3.example. 3600 NSEC3PARAM 1 1 10 BEEF
send
zone nsec3.optout.example.
update add nsec3.optout.example. 3600 NSEC3PARAM 1 0 10 BEEF
send
......@@ -142,6 +147,21 @@ update add nsec.example. 3600 NSEC3PARAM 1 0 10 BEEF
send
END
echo "I:checking for nsec3param in unsigned zone ($n)"
ret=0
$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.test$n || ret=1
grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null && ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:signing preset nsec3 zone"
zsk=`cat autozsk.key`
ksk=`cat autoksk.key`
$SETTIME -K ns3 -P now -A now $zsk > /dev/null 2>&1
$SETTIME -K ns3 -P now -A now $ksk > /dev/null 2>&1
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 loadkeys autonsec3.example. 2>&1 | sed 's/^/I:ns3 /'
echo "I:waiting for changes to take effect"
sleep 3
......@@ -186,6 +206,20 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking direct NSEC3 autosigning succeeded ($n)"
ret=0
$DIG $DIGOPTS +noall +answer autonsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.ok.test$n || ret=1
[ -s dig.out.ns3.ok.test$n ] || ret=1
grep "NSEC3PARAM" dig.out.ns3.ok.test$n > /dev/null || ret=1
$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
$DIG $DIGOPTS +noauth q.autonsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking NSEC->NSEC3 conversion failed with NSEC-only key ($n)"
ret=0
grep "failed: REFUSED" nsupdate.out > /dev/null || ret=1
......@@ -713,13 +747,13 @@ send
END
sleep 2
$DIG $DIGOPTS axfr secure-to-insecure.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
egrep 'RRSIG.*'" $newid "'\. ' dig.out.ns3.test$n > /dev/null && ret=1
egrep '(DNSKEY|NSEC)' dig.out.ns3.test$n > /dev/null && ret=1
egrep '(RRSIG|DNSKEY|NSEC)' dig.out.ns3.test$n > /dev/null && ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
echo "I:checking secure-to-insecure transition, scheduled ($n)"
ret=0
file="ns3/`cat del1.key`.key"
$SETTIME -I now -D now $file > /dev/null
file="ns3/`cat del2.key`.key"
......@@ -727,8 +761,7 @@ $SETTIME -I now -D now $file > /dev/null
$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 sign secure-to-insecure2.example. 2>&1 | sed 's/^/I:ns3 /'
sleep 2
$DIG $DIGOPTS axfr secure-to-insecure2.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
egrep 'RRSIG.*'" $newid "'\. ' dig.out.ns3.test$n > /dev/null && ret=1
egrep '(DNSKEY|NSEC3)' dig.out.ns3.test$n > /dev/null && ret=1
egrep '(RRSIG|DNSKEY|NSEC3)' dig.out.ns3.test$n > /dev/null && ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo "I:failed"; fi
status=`expr $status + $ret`
......
......@@ -15,7 +15,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec.xml,v 1.4 2010/08/16 22:21:06 marka Exp $ -->
<!-- $Id: dnssec.xml,v 1.5 2011/06/10 01:51:09 each Exp $ -->
<sect1 id="dnssec.dynamic.zones">
<title>DNSSEC, Dynamic Zones, and Automatic Signing</title>
......@@ -100,8 +100,7 @@
<command>named</command> can search the key directory for keys
matching the zone, insert them into the zone, and use them to
sign the zone. It will do so only when it receives an
<command>rndc sign &lt;zonename&gt;</command> or
<command>rndc loadkeys &lt;zonename&gt;</command> command.</para>
<command>rndc sign &lt;zonename&gt;</command>.</para>
<para>
<!-- TODO: this is repeated in the ARM -->
<command>auto-dnssec maintain</command> includes the above
......@@ -109,12 +108,35 @@
DNSKEY records on schedule according to the keys' timing metadata.
(See <xref linkend="man.dnssec-keygen"/> and
<xref linkend="man.dnssec-settime"/> for more information.)
</para>
<para>
<command>named</command> will periodically search the key directory
for keys matching the zone, and if the keys' metadata indicates
that any change should be made the zone, such as adding, removing,
or revoking a key, then that action will be carried out. By default,
the key directory is checked for changes every 60 minutes; this period
can be adjusted with the <command>dnssec-loadkeys-interval</option>, up
to a maximum of 24 hours. The <command>rndc loadkeys</command> forces
<command>named</command> to check for key updates immediately.
</para>
<para>
If keys are present in the key directory the first time the zone
is loaded, it will be signed immediately, without waiting for an
is loaded, the zone will be signed immediately, without waiting for an
<command>rndc sign</command> or <command>rndc loadkeys</command>
command. (Those commands can still be used when there are unscheduled
key changes, however.)
</para>
<ppara>
<para>
If you wish the zone to be signed using NSEC3 instead of NSEC,
submit an NSEC3PARAM record via dynamic update prior to the
scheduled publication and activation of the keys. If you wish the
NSEC3 chain to have the OPTOUT bit set, set it in the flags field
of the NSEC3PARAM record. The NSEC3PARAM record will not appear in
the zone immediately, but it will be stored for later reference. When
the zone is signed and the NSEC3 chain is completed, the NSEC3PARAM
record will appear in the zone.
</para>
<para>Using the
<command>auto-dnssec</command> option requires the zone to be
configured to allow dynamic updates, by adding an
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: nsec.h,v 1.12 2008/09/25 04:02:39 tbox Exp $ */
/* $Id: nsec.h,v 1.13 2011/06/10 01:51:09 each Exp $ */
#ifndef DNS_NSEC_H
#define DNS_NSEC_H 1
......@@ -69,7 +69,8 @@ dns_nsec_nseconly(dns_db_t *db, dns_dbversion_t *version,
isc_boolean_t *answer);
/*
* Report whether the DNSKEY RRset has a NSEC only algorithm. Unknown
* algorithms are assumed to support NSEC3.
* algorithms are assumed to support NSEC3. If DNSKEY is not found,
* *answer is set to ISC_FALSE, and ISC_R_NOTFOUND is returned.
*
* Requires:
* 'answer' to be non NULL.
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: nsec.c,v 1.15 2011/03/12 04:59:48 tbox Exp $ */
/* $Id: nsec.c,v 1.16 2011/06/10 01:51:09 each Exp $ */
/*! \file */
......@@ -245,10 +245,8 @@ dns_nsec_nseconly(dns_db_t *db, dns_dbversion_t *version,
0, 0, &rdataset, NULL);
dns_db_detachnode(db, &node);
if (result == ISC_R_NOTFOUND) {
if (result == ISC_R_NOTFOUND)
*answer = ISC_FALSE;
return (ISC_R_SUCCESS);
}
if (result != ISC_R_SUCCESS)
return (result);
for (result = dns_rdataset_first(&rdataset);
......
......@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: nsec3.c,v 1.22 2011/06/08 22:13:50 each Exp $ */
/* $Id: nsec3.c,v 1.23 2011/06/10 01:51:09 each Exp $ */
#include <config.h>
......@@ -49,6 +49,7 @@
#define OPTOUT(x) (((x) & DNS_NSEC3FLAG_OPTOUT) != 0)
#define CREATE(x) (((x) & DNS_NSEC3FLAG_CREATE) != 0)
#define INITIAL(x) (((x) & DNS_NSEC3FLAG_INITIAL) != 0)
#define REMOVE(x) (((x) & DNS_NSEC3FLAG_REMOVE) != 0)
static void
......
......@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: private.c,v 1.5 2011/02/15 23:47:36 tbox Exp $ */
/* $Id: private.c,v 1.6 2011/06/10 01:51:09 each Exp $ */
#include "config.h"
......@@ -44,6 +44,7 @@
#define REMOVE(x) (((x) & DNS_NSEC3FLAG_REMOVE) != 0)
#define CREATE(x) (((x) & DNS_NSEC3FLAG_CREATE) != 0)
#define INITIAL(x) (((x) & DNS_NSEC3FLAG_INITIAL) != 0)
#define NONSEC(x) (((x) & DNS_NSEC3FLAG_NONSEC) != 0)
#define CHECK(x) do { \
......
......@@ -18,7 +18,7 @@
#ifndef GENERIC_NSEC3_50_H
#define GENERIC_NSEC3_50_H 1
/* $Id: nsec3_50.h,v 1.4 2008/09/25 04:02:39 tbox Exp $ */
/* $Id: nsec3_50.h,v 1.5 2011/06/10 01:51:09 each Exp $ */
/*!
* \brief Per RFC 5155 */
......@@ -46,7 +46,16 @@ typedef struct dns_rdata_nsec3 {
#define DNS_NSEC3FLAG_OPTOUT 0x01U
/*%
* Non-standard, NSEC3PARAM only.
* The following flags are used in the private-type record (implemented in
* lib/dns/private.c) which is used to store NSEC3PARAM data during the
* time when it is not legal to have an actual NSEC3PARAM record in the
* zone. They are defined here because the private-type record uses the
* same flags field for the OPTOUT flag above and for the private flags
* below. XXX: This should be considered for refactoring.
*/
/*%
* Non-standard, private type only.
*
* Create a corresponding NSEC3 chain.
* Once the NSEC3 chain is complete this flag will be removed to signal
......@@ -55,13 +64,14 @@ typedef struct dns_rdata_nsec3 {
* This flag is automatically set when a NSEC3PARAM record is added to
* the zone via UPDATE.
*
* NSEC3PARAM records with this flag set are supposed to be ignored by
* RFC 5155 compliant nameservers.
* NSEC3PARAM records containing this flag should never be published,
* but if they are, they should be ignored by RFC 5155 compliant
* nameservers.
*/
#define DNS_NSEC3FLAG_CREATE 0x80U
/*%
* Non-standard, NSEC3PARAM only.
* Non-standard, private type only.
*
* The corresponding NSEC3 set is to be removed once the NSEC chain
* has been generated.
......@@ -69,24 +79,39 @@ typedef struct dns_rdata_nsec3 {
* This flag is automatically set when the last active NSEC3PARAM record
* is removed from the zone via UPDATE.
*
* NSEC3PARAM records with this flag set are supposed to be ignored by
* RFC 5155 compliant nameservers.
* NSEC3PARAM records containing this flag should never be published,
* but if they are, they should be ignored by RFC 5155 compliant
* nameservers.
*/
#define DNS_NSEC3FLAG_REMOVE 0x40U
/*%
* Non-standard, NSEC3PARAM only.
* Non-standard, private type only.
*
* Used to identify NSEC3PARAM records added in this UPDATE request.
* When set with the CREATE flag, a corresponding NSEC3 chain will be
* created when the zone becomes capable of supporting one (i.e., when it
* has a DNSKEY RRset containing at least one NSEC3-capable algorithm).
* Without this flag, NSEC3 chain creation would be attempted immediately,
* fail, and the private type record would be removed. With it, the NSEC3
* parameters are stored until they can be used. When the zone has the
* necessary prerequisites for NSEC3, then the INITIAL flag can be cleared,
* and the record will be cleaned up normally.
*
* NSEC3PARAM records containing this flag should never be published, but
* if they are, they should be ignored by RFC 5155 compliant nameservers.
*/
#define DNS_NSEC3FLAG_UPDATE 0x20U
#define DNS_NSEC3FLAG_INITIAL 0x20U
/*%
* Non-standard, NSEC3PARAM only.
* Non-standard, private type only.
*
* Prevent the creation of a NSEC chain before the last NSEC3 chain
* is removed. This will normally only be set when the zone is
* transitioning from secure with NSEC3 chains to insecure.
*
* NSEC3PARAM records containing this flag should never be published,
* but if they are, they should be ignored by RFC 5155 compliant
* nameservers.
*/
#define DNS_NSEC3FLAG_NONSEC 0x10U
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: zone.c,v 1.613 2011/06/10 01:32:38 each Exp $ */
/* $Id: zone.c,v 1.614 2011/06/10 01:51:09 each Exp $ */
/*! \file */
......@@ -61,6 +61,7 @@
#include <dns/private.h>
#include <dns/rbt.h>
#include <dns/rcode.h>
#include <dns/rdata.h>
#include <dns/rdataclass.h>
#include <dns/rdatalist.h>
#include <dns/rdataset.h>
......@@ -2428,13 +2429,22 @@ resume_signingwithkey(dns_zone_t *zone) {
static isc_result_t
zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) {
dns_nsec3chain_t *nsec3chain, *current;
dns_dbversion_t *version = NULL;
isc_boolean_t nseconly = ISC_FALSE, nsec3ok = ISC_FALSE;
isc_result_t result;
isc_time_t now;
unsigned int options = 0;
char saltbuf[255*2+1];
char flags[sizeof("REMOVE|CREATE|NONSEC|OPTOUT")];
char flags[sizeof("INITIAL|REMOVE|CREATE|NONSEC|OPTOUT")];
int i;
dns_db_currentversion(zone->db, &version);
result = dns_nsec_nseconly(zone->db, version, &nseconly);
nsec3ok = (result == ISC_R_SUCCESS && !nseconly);
dns_db_closeversion(zone->db, &version, ISC_FALSE);
if (!nsec3ok && (nsec3param->flags & DNS_NSEC3FLAG_REMOVE) == 0)
return (ISC_R_SUCCESS);
nsec3chain = isc_mem_get(zone->mctx, sizeof *nsec3chain);
if (nsec3chain == NULL)
return (ISC_R_NOMEMORY);
......@@ -2461,6 +2471,12 @@ zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) {
flags[0] = '\0';
if (nsec3param->flags & DNS_NSEC3FLAG_REMOVE)
strlcat(flags, "REMOVE", sizeof(flags));
if (nsec3param->flags & DNS_NSEC3FLAG_INITIAL) {
if (flags[0] == '\0')
strlcpy(flags, "INITIAL", sizeof(flags));