diff options
| author | Doug Barton <dougb@FreeBSD.org> | 2010-03-03 05:45:24 +0000 |
|---|---|---|
| committer | Doug Barton <dougb@FreeBSD.org> | 2010-03-03 05:45:24 +0000 |
| commit | eda14e83f216771932ca56c65bc62d994af63706 (patch) | |
| tree | 62d02001f69506ed0ec63ea339614e3658d10ebf /contrib/bind9/bin/dnssec | |
| parent | 9be0746b5fea430f6dd3031cf32a361d5a197cf3 (diff) | |
| parent | 841024d54f1f0a07feccf84d8938b00bc1f362b5 (diff) | |
Upgrade to version 9.6.2. This version includes all previously released
security patches to the 9.6.1 version, as well as many other bug fixes.
This version also incorporates a different fix for the problem we had
patched in contrib/bind9/bin/dig/dighost.c, so that file is now back
to being the same as the vendor version.
Due to the fact that the DNSSEC algorithm that will be used to sign the
root zone is only included in this version and in 9.7.x those who wish
to do validation MUST upgrade to one of these prior to July 2010.
Notes
Notes:
svn path=/head/; revision=204619
Diffstat (limited to 'contrib/bind9/bin/dnssec')
| -rw-r--r-- | contrib/bind9/bin/dnssec/dnssec-dsfromkey.c | 18 | ||||
| -rw-r--r-- | contrib/bind9/bin/dnssec/dnssec-keyfromlabel.8 | 20 | ||||
| -rw-r--r-- | contrib/bind9/bin/dnssec/dnssec-keyfromlabel.c | 7 | ||||
| -rw-r--r-- | contrib/bind9/bin/dnssec/dnssec-keyfromlabel.docbook | 21 | ||||
| -rw-r--r-- | contrib/bind9/bin/dnssec/dnssec-keyfromlabel.html | 32 | ||||
| -rw-r--r-- | contrib/bind9/bin/dnssec/dnssec-keygen.8 | 20 | ||||
| -rw-r--r-- | contrib/bind9/bin/dnssec/dnssec-keygen.c | 22 | ||||
| -rw-r--r-- | contrib/bind9/bin/dnssec/dnssec-keygen.docbook | 31 | ||||
| -rw-r--r-- | contrib/bind9/bin/dnssec/dnssec-keygen.html | 43 | ||||
| -rw-r--r-- | contrib/bind9/bin/dnssec/dnssec-signzone.8 | 25 | ||||
| -rw-r--r-- | contrib/bind9/bin/dnssec/dnssec-signzone.c | 915 | ||||
| -rw-r--r-- | contrib/bind9/bin/dnssec/dnssec-signzone.docbook | 33 | ||||
| -rw-r--r-- | contrib/bind9/bin/dnssec/dnssec-signzone.html | 45 | ||||
| -rw-r--r-- | contrib/bind9/bin/dnssec/dnssectool.c | 4 | ||||
| -rw-r--r-- | contrib/bind9/bin/dnssec/dnssectool.h | 6 |
15 files changed, 951 insertions, 291 deletions
diff --git a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.c b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.c index 653aa3ea7a5a..8bd4aa566e35 100644 --- a/contrib/bind9/bin/dnssec/dnssec-dsfromkey.c +++ b/contrib/bind9/bin/dnssec/dnssec-dsfromkey.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008, 2009 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2008-2010 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-dsfromkey.c,v 1.2.14.3 2009/03/02 02:54:15 marka Exp $ */ +/* $Id: dnssec-dsfromkey.c,v 1.2.14.6 2010/01/11 23:47:22 tbox Exp $ */ /*! \file */ @@ -78,10 +78,18 @@ loadkeys(char *dirname, char *setname) isc_buffer_init(&buf, filename, sizeof(filename)); if (dirname != NULL) { + if (isc_buffer_availablelength(&buf) < strlen(dirname)) + fatal("directory name '%s' too long", dirname); isc_buffer_putstr(&buf, dirname); - if (dirname[strlen(dirname) - 1] != '/') + if (dirname[strlen(dirname) - 1] != '/') { + if (isc_buffer_availablelength(&buf) < 1) + fatal("directory name '%s' too long", dirname); isc_buffer_putstr(&buf, "/"); + } } + + if (isc_buffer_availablelength(&buf) < strlen("keyset-")) + fatal("directory name '%s' too long", dirname); isc_buffer_putstr(&buf, "keyset-"); result = dns_name_tofilenametext(name, ISC_FALSE, &buf); check_result(result, "dns_name_tofilenametext()"); @@ -210,12 +218,12 @@ emitds(unsigned int dtype, dns_rdata_t *rdata) putchar(' '); isc_buffer_usedregion(&classb, &r); - fwrite(r.base, 1, r.length, stdout); + isc_util_fwrite(r.base, 1, r.length, stdout); printf(" DS "); isc_buffer_usedregion(&textb, &r); - fwrite(r.base, 1, r.length, stdout); + isc_util_fwrite(r.base, 1, r.length, stdout); putchar('\n'); } diff --git a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.8 b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.8 index 622205820db0..03f13e9d30ad 100644 --- a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.8 +++ b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.8 @@ -1,6 +1,6 @@ -.\" Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2008, 2010 Internet Systems Consortium, Inc. ("ISC") .\" -.\" Permission to use, copy, modify, and distribute this software for any +.\" Permission to use, copy, modify, and/or distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. .\" @@ -12,7 +12,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: dnssec-keyfromlabel.8,v 1.6 2008/11/08 01:11:47 tbox Exp $ +.\" $Id: dnssec-keyfromlabel.8,v 1.6.14.3 2010/01/16 01:55:32 tbox Exp $ .\" .hy 0 .ad l @@ -43,7 +43,13 @@ gets keys with the given label from a crypto hardware and builds key files for D .RS 4 Selects the cryptographic algorithm. The value of \fBalgorithm\fR -must be one of RSAMD5 (RSA) or RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman). These values are case insensitive. +must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or DH (Diffie Hellman). These values are case insensitive. +.sp +If no algorithm is specified, then RSASHA1 will be used by default, unless the +\fB\-3\fR +option is specified, in which case NSEC3RSASHA1 will be used instead. (If +\fB\-3\fR +is used and an algorithm is specified, that algorithm will be checked for compatibility with NSEC3.) .sp Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended. .sp @@ -138,12 +144,10 @@ file contains algorithm specific fields. For obvious security reasons, this file \fBdnssec\-keygen\fR(8), \fBdnssec\-signzone\fR(8), BIND 9 Administrator Reference Manual, -RFC 2539, -RFC 2845, -RFC 4033. +RFC 4034. .SH "AUTHOR" .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2008 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2008, 2010 Internet Systems Consortium, Inc. ("ISC") .br diff --git a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.c b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.c index e7587c39663d..78bfda315398 100644 --- a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.c +++ b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2007, 2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2007, 2008, 2010 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-keyfromlabel.c,v 1.4 2008/09/24 02:46:21 marka Exp $ */ +/* $Id: dnssec-keyfromlabel.c,v 1.4.50.2 2010/01/15 23:47:31 tbox Exp $ */ /*! \file */ @@ -48,7 +48,8 @@ const char *program = "dnssec-keyfromlabel"; int verbose; static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |" - " NSEC3DSA | NSEC3RSASHA1"; + " NSEC3DSA | NSEC3RSASHA1 |" + " RSASHA256 | RSASHA512"; static void usage(void) { diff --git a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.docbook b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.docbook index 2bcf0a48da4a..f2ab15298331 100644 --- a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.docbook +++ b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.docbook @@ -2,7 +2,7 @@ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2008, 2010 Internet Systems Consortium, Inc. ("ISC") - - Permission to use, copy, modify, and/or distribute this software for any - purpose with or without fee is hereby granted, provided that the above @@ -17,7 +17,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dnssec-keyfromlabel.docbook,v 1.6 2008/11/07 13:54:11 jreed Exp $ --> +<!-- $Id: dnssec-keyfromlabel.docbook,v 1.6.14.2 2010/01/15 23:47:31 tbox Exp $ --> <refentry id="man.dnssec-keyfromlabel"> <refentryinfo> <date>February 8, 2008</date> @@ -37,6 +37,7 @@ <docinfo> <copyright> <year>2008</year> + <year>2010</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> </docinfo> @@ -75,11 +76,19 @@ <listitem> <para> Selects the cryptographic algorithm. The value of - <option>algorithm</option> must be one of RSAMD5 (RSA) - or RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman). + <option>algorithm</option> must be one of RSAMD5, + RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, + RSASHA512 or DH (Diffie Hellman). These values are case insensitive. </para> <para> + If no algorithm is specified, then RSASHA1 will be used by + default, unless the <option>-3</option> option is specified, + in which case NSEC3RSASHA1 will be used instead. (If + <option>-3</option> is used and an algorithm is specified, + that algorithm will be checked for compatibility with NSEC3.) + </para> + <para> Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended. </para> @@ -246,9 +255,7 @@ <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citetitle>BIND 9 Administrator Reference Manual</citetitle>, - <citetitle>RFC 2539</citetitle>, - <citetitle>RFC 2845</citetitle>, - <citetitle>RFC 4033</citetitle>. + <citetitle>RFC 4034</citetitle>. </para> </refsect1> diff --git a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.html b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.html index cbea64b8d75f..1aafccd97c1a 100644 --- a/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.html +++ b/contrib/bind9/bin/dnssec/dnssec-keyfromlabel.html @@ -1,7 +1,7 @@ <!-- - - Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2008, 2010 Internet Systems Consortium, Inc. ("ISC") - - - Permission to use, copy, modify, and distribute this software for any + - Permission to use, copy, modify, and/or distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - @@ -13,7 +13,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dnssec-keyfromlabel.html,v 1.5 2008/10/15 01:11:35 tbox Exp $ --> +<!-- $Id: dnssec-keyfromlabel.html,v 1.5.44.3 2010/01/16 01:55:32 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -31,7 +31,7 @@ <div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-k</code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543413"></a><h2>DESCRIPTION</h2> +<a name="id2543416"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">dnssec-keyfromlabel</strong></span> gets keys with the given label from a crypto hardware and builds key files for DNSSEC (Secure DNS), as defined in RFC 2535 @@ -39,17 +39,25 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543425"></a><h2>OPTIONS</h2> +<a name="id2543428"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt> <dd> <p> Selects the cryptographic algorithm. The value of - <code class="option">algorithm</code> must be one of RSAMD5 (RSA) - or RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman). + <code class="option">algorithm</code> must be one of RSAMD5, + RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, + RSASHA512 or DH (Diffie Hellman). These values are case insensitive. </p> <p> + If no algorithm is specified, then RSASHA1 will be used by + default, unless the <code class="option">-3</code> option is specified, + in which case NSEC3RSASHA1 will be used instead. (If + <code class="option">-3</code> is used and an algorithm is specified, + that algorithm will be checked for compatibility with NSEC3.) + </p> +<p> Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended. </p> @@ -112,7 +120,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2543619"></a><h2>GENERATED KEY FILES</h2> +<a name="id2543632"></a><h2>GENERATED KEY FILES</h2> <p> When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes successfully, @@ -153,17 +161,15 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543691"></a><h2>SEE ALSO</h2> +<a name="id2543704"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, - <em class="citetitle">RFC 2539</em>, - <em class="citetitle">RFC 2845</em>, - <em class="citetitle">RFC 4033</em>. + <em class="citetitle">RFC 4034</em>. </p> </div> <div class="refsect1" lang="en"> -<a name="id2543731"></a><h2>AUTHOR</h2> +<a name="id2543737"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.8 b/contrib/bind9/bin/dnssec/dnssec-keygen.8 index 13db3d9db149..485ea6ef2442 100644 --- a/contrib/bind9/bin/dnssec/dnssec-keygen.8 +++ b/contrib/bind9/bin/dnssec/dnssec-keygen.8 @@ -1,7 +1,7 @@ -.\" Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") +.\" Copyright (C) 2004, 2005, 2007-2010 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000-2003 Internet Software Consortium. .\" -.\" Permission to use, copy, modify, and distribute this software for any +.\" Permission to use, copy, modify, and/or distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. .\" @@ -13,7 +13,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: dnssec-keygen.8,v 1.40 2008/10/15 01:11:35 tbox Exp $ +.\" $Id: dnssec-keygen.8,v 1.40.44.4 2010/01/16 01:55:32 tbox Exp $ .\" .hy 0 .ad l @@ -38,13 +38,17 @@ dnssec\-keygen \- DNSSEC key generation tool .PP \fBdnssec\-keygen\fR generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845. +.PP +The +\fBname\fR +of the key is specified on the command line. For DNSSEC keys, this must match the name of the zone for which the key is being generated. .SH "OPTIONS" .PP \-a \fIalgorithm\fR .RS 4 -Selects the cryptographic algorithm. The value of +Selects the cryptographic algorithm. For DNSSEC keys, the value of \fBalgorithm\fR -must be one of RSAMD5 (RSA) or RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, DH (Diffie Hellman), or HMAC\-MD5. These values are case insensitive. +must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512. These values are case insensitive. .sp Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended. For TSIG, HMAC\-MD5 is mandatory. .sp @@ -53,7 +57,7 @@ Note 2: HMAC\-MD5 and DH automatically set the \-k flag. .PP \-b \fIkeysize\fR .RS 4 -Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC\-MD5 keys must be between 1 and 512 bits. +Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSA keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC keys must be between 1 and 512 bits. .RE .PP \-n \fInametype\fR @@ -189,12 +193,12 @@ and BIND 9 Administrator Reference Manual, RFC 2539, RFC 2845, -RFC 4033. +RFC 4034. .SH "AUTHOR" .PP Internet Systems Consortium .SH "COPYRIGHT" -Copyright \(co 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") +Copyright \(co 2004, 2005, 2007\-2010 Internet Systems Consortium, Inc. ("ISC") .br Copyright \(co 2000\-2003 Internet Software Consortium. .br diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.c b/contrib/bind9/bin/dnssec/dnssec-keygen.c index 614d388eb7e2..2b9a863b7d46 100644 --- a/contrib/bind9/bin/dnssec/dnssec-keygen.c +++ b/contrib/bind9/bin/dnssec/dnssec-keygen.c @@ -1,5 +1,5 @@ /* - * Portions Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC") + * Portions Copyright (C) 2004-2008, 2010 Internet Systems Consortium, Inc. ("ISC") * Portions Copyright (C) 1999-2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -29,7 +29,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-keygen.c,v 1.81 2008/09/25 04:02:38 tbox Exp $ */ +/* $Id: dnssec-keygen.c,v 1.81.48.2 2010/01/15 23:47:31 tbox Exp $ */ /*! \file */ @@ -62,8 +62,8 @@ const char *program = "dnssec-keygen"; int verbose; -static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 | NSEC3DSA |" - " NSEC3RSASHA1 | HMAC-MD5 |" +static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 | RSASHA256 |" + " RSASHA512 | NSEC3DSA | NSEC3RSASHA1 | HMAC-MD5 |" " HMAC-SHA1 | HMAC-SHA224 | HMAC-SHA256 |" " HMAC-SHA384 | HMAC-SHA512"; @@ -84,6 +84,8 @@ usage(void) { fprintf(stderr, " RSAMD5:\t\t[512..%d]\n", MAX_RSA); fprintf(stderr, " RSASHA1:\t\t[512..%d]\n", MAX_RSA); fprintf(stderr, " NSEC3RSASHA1:\t\t[512..%d]\n", MAX_RSA); + fprintf(stderr, " RSASHA256:\t[512..%d]\n", MAX_RSA); + fprintf(stderr, " RSASHA512:\t[1024..%d]\n", MAX_RSA); fprintf(stderr, " DH:\t\t[128..4096]\n"); fprintf(stderr, " DSA:\t\t[512..1024] and divisible by 64\n"); fprintf(stderr, " NSEC3DSA:\t\t[512..1024] and divisible by 64\n"); @@ -307,9 +309,14 @@ main(int argc, char **argv) { case DNS_KEYALG_RSAMD5: case DNS_KEYALG_RSASHA1: case DNS_KEYALG_NSEC3RSASHA1: + case DNS_KEYALG_RSASHA256: if (size != 0 && (size < 512 || size > MAX_RSA)) fatal("RSA key size %d out of range", size); break; + case DNS_KEYALG_RSASHA512: + if (size != 0 && (size < 1024 || size > MAX_RSA)) + fatal("RSA key size %d out of range", size); + break; case DNS_KEYALG_DH: if (size != 0 && (size < 128 || size > 4096)) fatal("DH key size %d out of range", size); @@ -376,7 +383,8 @@ main(int argc, char **argv) { } if (!(alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_RSASHA1 || - alg == DNS_KEYALG_NSEC3RSASHA1) && rsa_exp != 0) + alg == DNS_KEYALG_NSEC3RSASHA1 || alg == DNS_KEYALG_RSASHA256 || + alg == DNS_KEYALG_RSASHA512) && rsa_exp != 0) fatal("specified RSA exponent for a non-RSA key"); if (alg != DNS_KEYALG_DH && generator != 0) @@ -440,12 +448,16 @@ main(int argc, char **argv) { switch(alg) { case DNS_KEYALG_RSAMD5: case DNS_KEYALG_RSASHA1: + case DNS_KEYALG_NSEC3RSASHA1: + case DNS_KEYALG_RSASHA256: + case DNS_KEYALG_RSASHA512: param = rsa_exp; break; case DNS_KEYALG_DH: param = generator; break; case DNS_KEYALG_DSA: + case DNS_KEYALG_NSEC3DSA: case DST_ALG_HMACMD5: case DST_ALG_HMACSHA1: case DST_ALG_HMACSHA224: diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.docbook b/contrib/bind9/bin/dnssec/dnssec-keygen.docbook index c267a1b4c25f..92ef9b9afc57 100644 --- a/contrib/bind9/bin/dnssec/dnssec-keygen.docbook +++ b/contrib/bind9/bin/dnssec/dnssec-keygen.docbook @@ -2,7 +2,7 @@ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004, 2005, 2007-2010 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2003 Internet Software Consortium. - - Permission to use, copy, modify, and/or distribute this software for any @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dnssec-keygen.docbook,v 1.22 2008/10/14 14:32:50 jreed Exp $ --> +<!-- $Id: dnssec-keygen.docbook,v 1.22.44.4 2010/01/15 23:47:33 tbox Exp $ --> <refentry id="man.dnssec-keygen"> <refentryinfo> <date>June 30, 2000</date> @@ -41,6 +41,8 @@ <year>2005</year> <year>2007</year> <year>2008</year> + <year>2009</year> + <year>2010</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> <copyright> @@ -80,6 +82,11 @@ and RFC 4034. It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845. </para> + <para> + The <option>name</option> of the key is specified on the command + line. For DNSSEC keys, this must match the name of the zone for + which the key is being generated. + </para> </refsect1> <refsect1> @@ -90,10 +97,13 @@ <term>-a <replaceable class="parameter">algorithm</replaceable></term> <listitem> <para> - Selects the cryptographic algorithm. The value of - <option>algorithm</option> must be one of RSAMD5 (RSA) or RSASHA1, - DSA, NSEC3RSASHA1, NSEC3DSA, DH (Diffie Hellman), or HMAC-MD5. - These values are case insensitive. + Selects the cryptographic algorithm. For DNSSEC keys, the value + of <option>algorithm</option> must be one of RSAMD5, RSASHA1, + DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512. + For TSIG/TKEY, the value must + be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224, + HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are + case insensitive. </para> <para> Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement @@ -111,11 +121,10 @@ <listitem> <para> Specifies the number of bits in the key. The choice of key - size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be - between - 512 and 2048 bits. Diffie Hellman keys must be between + size depends on the algorithm used. RSA keys must be + between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 - bits and an exact multiple of 64. HMAC-MD5 keys must be + bits and an exact multiple of 64. HMAC keys must be between 1 and 512 bits. </para> </listitem> @@ -343,7 +352,7 @@ <citetitle>BIND 9 Administrator Reference Manual</citetitle>, <citetitle>RFC 2539</citetitle>, <citetitle>RFC 2845</citetitle>, - <citetitle>RFC 4033</citetitle>. + <citetitle>RFC 4034</citetitle>. </para> </refsect1> diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.html b/contrib/bind9/bin/dnssec/dnssec-keygen.html index 696ef88c3701..fccec6f684c8 100644 --- a/contrib/bind9/bin/dnssec/dnssec-keygen.html +++ b/contrib/bind9/bin/dnssec/dnssec-keygen.html @@ -1,8 +1,8 @@ <!-- - - Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2004, 2005, 2007-2010 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2003 Internet Software Consortium. - - - Permission to use, copy, modify, and distribute this software for any + - Permission to use, copy, modify, and/or distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dnssec-keygen.html,v 1.32 2008/10/15 01:11:35 tbox Exp $ --> +<!-- $Id: dnssec-keygen.html,v 1.32.44.4 2010/01/16 01:55:32 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -32,23 +32,31 @@ <div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543477"></a><h2>DESCRIPTION</h2> +<a name="id2543483"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">dnssec-keygen</strong></span> generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845. </p> +<p> + The <code class="option">name</code> of the key is specified on the command + line. For DNSSEC keys, this must match the name of the zone for + which the key is being generated. + </p> </div> <div class="refsect1" lang="en"> -<a name="id2543489"></a><h2>OPTIONS</h2> +<a name="id2543501"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt> <dd> <p> - Selects the cryptographic algorithm. The value of - <code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1, - DSA, NSEC3RSASHA1, NSEC3DSA, DH (Diffie Hellman), or HMAC-MD5. - These values are case insensitive. + Selects the cryptographic algorithm. For DNSSEC keys, the value + of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1, + DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512. + For TSIG/TKEY, the value must + be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224, + HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are + case insensitive. </p> <p> Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement @@ -62,11 +70,10 @@ <dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt> <dd><p> Specifies the number of bits in the key. The choice of key - size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be - between - 512 and 2048 bits. Diffie Hellman keys must be between + size depends on the algorithm used. RSA keys must be + between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 - bits and an exact multiple of 64. HMAC-MD5 keys must be + bits and an exact multiple of 64. HMAC keys must be between 1 and 512 bits. </p></dd> <dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt> @@ -148,7 +155,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2543824"></a><h2>GENERATED KEYS</h2> +<a name="id2543836"></a><h2>GENERATED KEYS</h2> <p> When <span><strong class="command">dnssec-keygen</strong></span> completes successfully, @@ -194,7 +201,7 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543906"></a><h2>EXAMPLE</h2> +<a name="id2543918"></a><h2>EXAMPLE</h2> <p> To generate a 768-bit DSA key for the domain <strong class="userinput"><code>example.com</code></strong>, the following command would be @@ -215,16 +222,16 @@ </p> </div> <div class="refsect1" lang="en"> -<a name="id2543949"></a><h2>SEE ALSO</h2> +<a name="id2544030"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, <em class="citetitle">RFC 2539</em>, <em class="citetitle">RFC 2845</em>, - <em class="citetitle">RFC 4033</em>. + <em class="citetitle">RFC 4034</em>. </p> </div> <div class="refsect1" lang="en"> -<a name="id2544049"></a><h2>AUTHOR</h2> +<a name="id2544061"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.8 b/contrib/bind9/bin/dnssec/dnssec-signzone.8 index 1e779271c346..7b21fb64ce34 100644 --- a/contrib/bind9/bin/dnssec/dnssec-signzone.8 +++ b/contrib/bind9/bin/dnssec/dnssec-signzone.8 @@ -1,7 +1,7 @@ .\" Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") .\" Copyright (C) 2000-2003 Internet Software Consortium. .\" -.\" Permission to use, copy, modify, and distribute this software for any +.\" Permission to use, copy, modify, and/or distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. .\" @@ -13,7 +13,7 @@ .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR .\" PERFORMANCE OF THIS SOFTWARE. .\" -.\" $Id: dnssec-signzone.8,v 1.47.44.4.8.1 2009/12/31 23:17:46 tbox Exp $ +.\" $Id: dnssec-signzone.8,v 1.47.44.8 2009/11/07 01:56:11 tbox Exp $ .\" .hy 0 .ad l @@ -33,13 +33,15 @@ dnssec\-signzone \- DNSSEC zone signing tool .SH "SYNOPSIS" .HP 16 -\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-p\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-t\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] [\fB\-3\ \fR\fB\fIsalt\fR\fR] [\fB\-H\ \fR\fB\fIiterations\fR\fR] [\fB\-A\fR] {zonefile} [key...] +\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-p\fR] [\fB\-P\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-t\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] [\fB\-3\ \fR\fB\fIsalt\fR\fR] [\fB\-H\ \fR\fB\fIiterations\fR\fR] [\fB\-A\fR] {zonefile} [key...] .SH "DESCRIPTION" .PP \fBdnssec\-signzone\fR -signs a zone. It generates NSEC and RRSIG records and produces a signed version of the zone. The security status of delegations from the signed zone (that is, whether the child zones are secure or not) is determined by the presence or absence of a -\fIkeyset\fR -file for each child zone. +signs a zone. It generates NSEC and RRSIG records and produces a signed version of the zone. It also generates a +\fIkeyset\-\fR +file containing the key\-signing keys for the zone, and if signing a zone which contains delegations, it can optionally generate DS records for the child zones from their +\fIkeyset\-\fR +files. .SH "OPTIONS" .PP \-a @@ -73,7 +75,9 @@ as the directory .PP \-g .RS 4 -Generate DS records for child zones from keyset files. Existing DS records will be removed. +If the zone contains any delegations, and there are +\fIkeyset\-\fR +files for any of the child zones, then DS records for the child zones will be generated from the keys in those files. Existing DS records will be removed. .RE .PP \-s \fIstart\-time\fR @@ -186,6 +190,13 @@ The format of the output file containing the signed zone. Possible formats are Use pseudo\-random data when signing the zone. This is faster, but less secure, than using real random data. This option may be useful when signing large zones or when the entropy source is limited. .RE .PP +\-P +.RS 4 +Disable post sign verification tests. +.sp +The post sign verification test ensures that for each algorithm in use there is at least one non revoked self signed KSK key, that all revoked KSK keys are self signed, and that all records in the zone are signed by the algorithm. This option skips these tests. +.RE +.PP \-r \fIrandomdev\fR .RS 4 Specifies the source of randomness. If the operating system does not provide a diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.c b/contrib/bind9/bin/dnssec/dnssec-signzone.c index 2ef2e104902e..eec6110ac58e 100644 --- a/contrib/bind9/bin/dnssec/dnssec-signzone.c +++ b/contrib/bind9/bin/dnssec/dnssec-signzone.c @@ -29,7 +29,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-signzone.c,v 1.209.12.8 2009/06/08 22:23:06 each Exp $ */ +/* $Id: dnssec-signzone.c,v 1.209.12.18 2009/11/03 23:47:45 tbox Exp $ */ /*! \file */ @@ -51,6 +51,7 @@ #include <isc/os.h> #include <isc/print.h> #include <isc/random.h> +#include <isc/rwlock.h> #include <isc/serial.h> #include <isc/stdio.h> #include <isc/stdlib.h> @@ -106,6 +107,8 @@ struct signer_key_struct { isc_boolean_t issigningkey; isc_boolean_t isdsk; isc_boolean_t isksk; + isc_boolean_t wasused; + isc_boolean_t commandline; unsigned int position; ISC_LINK(signer_key_t) link; }; @@ -127,6 +130,7 @@ struct signer_event { static ISC_LIST(signer_key_t) keylist; static unsigned int keycount = 0; +isc_rwlock_t keylist_lock; static isc_stdtime_t starttime = 0, endtime = 0, now; static int cycle = -1; static int jitter = 0; @@ -164,6 +168,7 @@ static dns_master_style_t *dsstyle = NULL; static unsigned int serialformat = SOA_SERIAL_KEEP; static unsigned int hash_length = 0; static isc_boolean_t unknownalg = ISC_FALSE; +static isc_boolean_t disable_zone_check = ISC_FALSE; #define INCSTAT(counter) \ if (printstats) { \ @@ -175,8 +180,9 @@ static isc_boolean_t unknownalg = ISC_FALSE; static void sign(isc_task_t *task, isc_event_t *event); -static isc_boolean_t -nsec3only(dns_dbnode_t *node); +#define check_dns_dbiterator_current(result) \ + check_result((result == DNS_R_NEWORIGIN) ? ISC_R_SUCCESS : result, \ + "dns_dbiterator_current()") static void dumpnode(dns_name_t *name, dns_dbnode_t *node) { @@ -206,21 +212,37 @@ newkeystruct(dst_key_t *dstkey, isc_boolean_t signwithkey) { key->isksk = ISC_FALSE; key->isdsk = ISC_TRUE; } + key->wasused = ISC_FALSE; + key->commandline = ISC_FALSE; key->position = keycount++; ISC_LINK_INIT(key, link); return (key); } +/*% + * Sign the given RRset with given key, and add the signature record to the + * given tuple. + */ + static void -signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdata_t *rdata, - dst_key_t *key, isc_buffer_t *b) +signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dst_key_t *key, + dns_ttl_t ttl, dns_diff_t *add, const char *logmsg) { isc_result_t result; isc_stdtime_t jendtime; + char keystr[KEY_FORMATSIZE]; + dns_rdata_t trdata = DNS_RDATA_INIT; + unsigned char array[BUFSIZE]; + isc_buffer_t b; + dns_difftuple_t *tuple; + + key_format(key, keystr, sizeof(keystr)); + vbprintf(1, "\t%s %s\n", logmsg, keystr); jendtime = (jitter != 0) ? isc_random_jitter(endtime, jitter) : endtime; + isc_buffer_init(&b, array, sizeof(array)); result = dns_dnssec_sign(name, rdataset, key, &starttime, &jendtime, - mctx, b, rdata); + mctx, &b, &trdata); isc_entropy_stopcallbacksources(ectx); if (result != ISC_R_SUCCESS) { char keystr[KEY_FORMATSIZE]; @@ -232,7 +254,7 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdata_t *rdata, if (tryverify) { result = dns_dnssec_verify(name, rdataset, key, - ISC_TRUE, mctx, rdata); + ISC_TRUE, mctx, &trdata); if (result == ISC_R_SUCCESS) { vbprintf(3, "\tsignature verified\n"); INCSTAT(nverified); @@ -241,6 +263,12 @@ signwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdata_t *rdata, INCSTAT(nverifyfailed); } } + + tuple = NULL; + result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, name, ttl, &trdata, + &tuple); + check_result(result, "dns_difftuple_create"); + dns_diff_append(add, &tuple); } static inline isc_boolean_t @@ -255,13 +283,11 @@ iszonekey(signer_key_t *key) { } /*% - * Finds the key that generated a RRSIG, if possible. First look at the keys - * that we've loaded already, and then see if there's a key on disk. + * Find the key if it is in our list. If it is, return it, otherwise null. + * No locking is performed here, this must be done by the caller. */ static signer_key_t * -keythatsigned(dns_rdata_rrsig_t *rrsig) { - isc_result_t result; - dst_key_t *pubkey = NULL, *privkey = NULL; +keythatsigned_unlocked(dns_rdata_rrsig_t *rrsig) { signer_key_t *key; key = ISC_LIST_HEAD(keylist); @@ -269,15 +295,50 @@ keythatsigned(dns_rdata_rrsig_t *rrsig) { if (rrsig->keyid == dst_key_id(key->key) && rrsig->algorithm == dst_key_alg(key->key) && dns_name_equal(&rrsig->signer, dst_key_name(key->key))) - return key; + return (key); key = ISC_LIST_NEXT(key, link); } + return (NULL); +} + +/*% + * Finds the key that generated a RRSIG, if possible. First look at the keys + * that we've loaded already, and then see if there's a key on disk. + */ +static signer_key_t * +keythatsigned(dns_rdata_rrsig_t *rrsig) { + isc_result_t result; + dst_key_t *pubkey = NULL, *privkey = NULL; + signer_key_t *key; + + isc_rwlock_lock(&keylist_lock, isc_rwlocktype_read); + key = keythatsigned_unlocked(rrsig); + isc_rwlock_unlock(&keylist_lock, isc_rwlocktype_read); + if (key != NULL) + return (key); + + /* + * We did not find the key in our list. Get a write lock now, since + * we may be modifying the bits. We could do the tryupgrade() dance, + * but instead just get a write lock and check once again to see if + * it is on our list. It's possible someone else may have added it + * after all. + */ + isc_rwlock_lock(&keylist_lock, isc_rwlocktype_write); + + key = keythatsigned_unlocked(rrsig); + if (key != NULL) { + isc_rwlock_unlock(&keylist_lock, isc_rwlocktype_write); + return (key); + } result = dst_key_fromfile(&rrsig->signer, rrsig->keyid, rrsig->algorithm, DST_TYPE_PUBLIC, NULL, mctx, &pubkey); - if (result != ISC_R_SUCCESS) + if (result != ISC_R_SUCCESS) { + isc_rwlock_unlock(&keylist_lock, isc_rwlocktype_write); return (NULL); + } result = dst_key_fromfile(&rrsig->signer, rrsig->keyid, rrsig->algorithm, @@ -289,6 +350,8 @@ keythatsigned(dns_rdata_rrsig_t *rrsig) { } else key = newkeystruct(pubkey, ISC_FALSE); ISC_LIST_APPEND(keylist, key, link); + + isc_rwlock_unlock(&keylist_lock, isc_rwlocktype_write); return (key); } @@ -438,6 +501,7 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name, keep = ISC_TRUE; wassignedby[key->position] = ISC_TRUE; nowsignedby[key->position] = ISC_TRUE; + key->wasused = ISC_TRUE; } else { vbprintf(2, "\trrsig by %s dropped - %s\n", sigstr, @@ -453,6 +517,7 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name, keep = ISC_TRUE; wassignedby[key->position] = ISC_TRUE; nowsignedby[key->position] = ISC_TRUE; + key->wasused = ISC_TRUE; } else { vbprintf(2, "\trrsig by %s dropped - %s\n", sigstr, @@ -499,24 +564,12 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name, } if (resign) { - isc_buffer_t b; - dns_rdata_t trdata = DNS_RDATA_INIT; - unsigned char array[BUFSIZE]; - char keystr[KEY_FORMATSIZE]; - INSIST(!keep); - key_format(key->key, keystr, sizeof(keystr)); - vbprintf(1, "\tresigning with dnskey %s\n", keystr); - isc_buffer_init(&b, array, sizeof(array)); - signwithkey(name, set, &trdata, key->key, &b); + signwithkey(name, set, key->key, ttl, add, + "resigning with dnskey"); nowsignedby[key->position] = ISC_TRUE; - tuple = NULL; - result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, - name, ttl, &trdata, - &tuple); - check_result(result, "dns_difftuple_create"); - dns_diff_append(add, &tuple); + key->wasused = ISC_TRUE; } dns_rdata_reset(&sigrdata); @@ -534,11 +587,6 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name, key != NULL; key = ISC_LIST_NEXT(key, link)) { - isc_buffer_t b; - dns_rdata_t trdata; - unsigned char array[BUFSIZE]; - char keystr[KEY_FORMATSIZE]; - if (nowsignedby[key->position]) continue; @@ -550,16 +598,9 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name, dns_name_equal(name, gorigin)))) continue; - key_format(key->key, keystr, sizeof(keystr)); - vbprintf(1, "\tsigning with dnskey %s\n", keystr); - dns_rdata_init(&trdata); - isc_buffer_init(&b, array, sizeof(array)); - signwithkey(name, set, &trdata, key->key, &b); - tuple = NULL; - result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD, name, - ttl, &trdata, &tuple); - check_result(result, "dns_difftuple_create"); - dns_diff_append(add, &tuple); + signwithkey(name, set, key->key, ttl, add, + "signing with dnskey"); + key->wasused = ISC_TRUE; } isc_mem_put(mctx, wassignedby, arraysize * sizeof(isc_boolean_t)); @@ -787,8 +828,8 @@ loadds(dns_name_t *name, isc_uint32_t ttl, dns_rdataset_t *dsset) { return (DNS_R_BADDB); } dns_rdataset_init(&keyset); - result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_dnskey, 0, 0, - &keyset, NULL); + result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_dnskey, 0, + 0, &keyset, NULL); if (result != ISC_R_SUCCESS) { dns_db_detachnode(db, &node); dns_db_detach(&db); @@ -1021,6 +1062,20 @@ active_node(dns_dbnode_t *node) { type = rdataset.type; covers = rdataset.covers; dns_rdataset_disassociate(&rdataset); + /* + * Delete the NSEC chain if we are signing with + * NSEC3. + */ + if (nsec_datatype == dns_rdatatype_nsec3 && + (type == dns_rdatatype_nsec || + covers == dns_rdatatype_nsec)) { + result = dns_db_deleterdataset(gdb, node, + gversion, type, + covers); + check_result(result, + "dns_db_deleterdataset(nsec/rrsig)"); + continue; + } if (type != dns_rdatatype_rrsig) continue; found = ISC_FALSE; @@ -1050,32 +1105,6 @@ active_node(dns_dbnode_t *node) { fatal("rdataset iteration failed: %s", isc_result_totext(result)); dns_rdatasetiter_destroy(&rdsiter2); - -#if 0 - /* - * Delete all NSEC records and RRSIG(NSEC) if we are in - * NSEC3 mode and vica versa. - */ - for (result = dns_rdatasetiter_first(rdsiter2); - result == ISC_R_SUCCESS; - result = dns_rdatasetiter_next(rdsiter2)) { - dns_rdatasetiter_current(rdsiter, &rdataset); - type = rdataset.type; - covers = rdataset.covers; - if (type == dns_rdatatype_rrsig) - type = covers; - dns_rdataset_disassociate(&rdataset); - if (type == nsec_datatype || - (type != dns_rdatatype_nsec && - type != dns_rdatatype_nsec3)) - continue; - if (covers != 0) - type = dns_rdatatype_rrsig; - result = dns_db_deleterdataset(gdb, node, gversion, - type, covers); - check_result(result, "dns_db_deleterdataset()"); - } -#endif } dns_rdatasetiter_destroy(&rdsiter); @@ -1198,7 +1227,7 @@ cleannode(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) { dns_rdataset_t set; isc_result_t result, dresult; - if (outputformat != dns_masterformat_text) + if (outputformat != dns_masterformat_text || !disable_zone_check) return; dns_rdataset_init(&set); @@ -1248,6 +1277,424 @@ postsign(void) { dns_dbiterator_destroy(&gdbiter); } +static isc_boolean_t +goodsig(dns_rdata_t *sigrdata, dns_name_t *name, dns_rdataset_t *keyrdataset, + dns_rdataset_t *rdataset) +{ + dns_rdata_dnskey_t key; + dns_rdata_rrsig_t sig; + dst_key_t *dstkey = NULL; + isc_result_t result; + + dns_rdata_tostruct(sigrdata, &sig, NULL); + + for (result = dns_rdataset_first(keyrdataset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(keyrdataset)) { + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdataset_current(keyrdataset, &rdata); + dns_rdata_tostruct(&rdata, &key, NULL); + result = dns_dnssec_keyfromrdata(gorigin, &rdata, mctx, + &dstkey); + if (result != ISC_R_SUCCESS) + return (ISC_FALSE); + if (sig.algorithm != key.algorithm || + sig.keyid != dst_key_id(dstkey) || + !dns_name_equal(&sig.signer, gorigin)) { + dst_key_free(&dstkey); + continue; + } + result = dns_dnssec_verify(name, rdataset, dstkey, ISC_FALSE, + mctx, sigrdata); + dst_key_free(&dstkey); + if (result == ISC_R_SUCCESS) + return(ISC_TRUE); + } + return (ISC_FALSE); +} + +static void +verifyset(dns_rdataset_t *rdataset, dns_name_t *name, dns_dbnode_t *node, + dns_rdataset_t *keyrdataset, unsigned char *ksk_algorithms, + unsigned char *bad_algorithms) +{ + unsigned char set_algorithms[256]; + char namebuf[DNS_NAME_FORMATSIZE]; + char algbuf[80]; + char typebuf[80]; + dns_rdataset_t sigrdataset; + dns_rdatasetiter_t *rdsiter = NULL; + isc_result_t result; + int i; + + dns_rdataset_init(&sigrdataset); + result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter); + check_result(result, "dns_db_allrdatasets()"); + for (result = dns_rdatasetiter_first(rdsiter); + result == ISC_R_SUCCESS; + result = dns_rdatasetiter_next(rdsiter)) { + dns_rdatasetiter_current(rdsiter, &sigrdataset); + if (sigrdataset.type == dns_rdatatype_rrsig && + sigrdataset.covers == rdataset->type) + break; + dns_rdataset_disassociate(&sigrdataset); + } + if (result != ISC_R_SUCCESS) { + dns_name_format(name, namebuf, sizeof(namebuf)); + type_format(rdataset->type, typebuf, sizeof(typebuf)); + fprintf(stderr, "no signatures for %s/%s\n", namebuf, typebuf); + for (i = 0; i < 256; i++) + if (ksk_algorithms[i] != 0) + bad_algorithms[i] = 1; + return; + } + + memset(set_algorithms, 0, sizeof(set_algorithms)); + for (result = dns_rdataset_first(&sigrdataset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(&sigrdataset)) { + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdata_rrsig_t sig; + + dns_rdataset_current(&sigrdataset, &rdata); + dns_rdata_tostruct(&rdata, &sig, NULL); + if ((set_algorithms[sig.algorithm] != 0) || + (ksk_algorithms[sig.algorithm] == 0)) + continue; + if (goodsig(&rdata, name, keyrdataset, rdataset)) + set_algorithms[sig.algorithm] = 1; + } + dns_rdatasetiter_destroy(&rdsiter); + if (memcmp(set_algorithms, ksk_algorithms, sizeof(set_algorithms))) { + dns_name_format(name, namebuf, sizeof(namebuf)); + type_format(rdataset->type, typebuf, sizeof(typebuf)); + for (i = 0; i < 256; i++) + if ((ksk_algorithms[i] != 0) && + (set_algorithms[i] == 0)) { + alg_format(i, algbuf, sizeof(algbuf)); + fprintf(stderr, "Missing %s signature for " + "%s %s\n", algbuf, namebuf, typebuf); + bad_algorithms[i] = 1; + } + } + dns_rdataset_disassociate(&sigrdataset); +} + +static void +verifynode(dns_name_t *name, dns_dbnode_t *node, isc_boolean_t delegation, + dns_rdataset_t *keyrdataset, unsigned char *ksk_algorithms, + unsigned char *bad_algorithms) +{ + dns_rdataset_t rdataset; + dns_rdatasetiter_t *rdsiter = NULL; + isc_result_t result; + + result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter); + check_result(result, "dns_db_allrdatasets()"); + result = dns_rdatasetiter_first(rdsiter); + dns_rdataset_init(&rdataset); + while (result == ISC_R_SUCCESS) { + dns_rdatasetiter_current(rdsiter, &rdataset); + if (rdataset.type != dns_rdatatype_rrsig && + rdataset.type != dns_rdatatype_dnskey && + (!delegation || rdataset.type == dns_rdatatype_ds || + rdataset.type == dns_rdatatype_nsec)) { + verifyset(&rdataset, name, node, keyrdataset, + ksk_algorithms, bad_algorithms); + } + dns_rdataset_disassociate(&rdataset); + result = dns_rdatasetiter_next(rdsiter); + } + if (result != ISC_R_NOMORE) + fatal("rdataset iteration failed: %s", + isc_result_totext(result)); + dns_rdatasetiter_destroy(&rdsiter); +} + +/*% + * Verify that certain things are sane: + * + * The apex has a DNSKEY record with at least one KSK and at least + * one ZSK. + * + * The DNSKEY record was signed with at least one of the KSKs in this + * set. + * + * The rest of the zone was signed with at least one of the ZSKs + * present in the DNSKEY RRSET. + */ +static void +verifyzone(void) { + char algbuf[80]; + dns_dbiterator_t *dbiter = NULL; + dns_dbnode_t *node = NULL, *nextnode = NULL; + dns_fixedname_t fname, fnextname, fzonecut; + dns_name_t *name, *nextname, *zonecut; + dns_rdata_dnskey_t dnskey; + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdataset_t rdataset; + dns_rdataset_t sigrdataset; + int i; + isc_boolean_t done = ISC_FALSE; + isc_boolean_t first = ISC_TRUE; + isc_boolean_t goodksk = ISC_FALSE; + isc_boolean_t goodzsk = ISC_FALSE; + isc_result_t result; + unsigned char revoked[256]; + unsigned char standby[256]; + unsigned char ksk_algorithms[256]; + unsigned char zsk_algorithms[256]; + unsigned char bad_algorithms[256]; +#ifdef ALLOW_KSKLESS_ZONES + isc_boolean_t allzsksigned = ISC_TRUE; + unsigned char self_algorithms[256]; +#endif + + if (disable_zone_check) + return; + + result = dns_db_findnode(gdb, gorigin, ISC_FALSE, &node); + if (result != ISC_R_SUCCESS) + fatal("failed to find the zone's origin: %s", + isc_result_totext(result)); + + dns_rdataset_init(&rdataset); + dns_rdataset_init(&sigrdataset); + result = dns_db_findrdataset(gdb, node, gversion, + dns_rdatatype_dnskey, + 0, 0, &rdataset, &sigrdataset); + dns_db_detachnode(gdb, &node); + if (result != ISC_R_SUCCESS) + fatal("cannot find DNSKEY rrset\n"); + + if (!dns_rdataset_isassociated(&sigrdataset)) + fatal("cannot find DNSKEY RRSIGs\n"); + + memset(revoked, 0, sizeof(revoked)); + memset(standby, 0, sizeof(revoked)); + memset(ksk_algorithms, 0, sizeof(ksk_algorithms)); + memset(zsk_algorithms, 0, sizeof(zsk_algorithms)); + memset(bad_algorithms, 0, sizeof(bad_algorithms)); +#ifdef ALLOW_KSKLESS_ZONES + memset(self_algorithms, 0, sizeof(self_algorithms)); +#endif + + /* + * Check that the DNSKEY RR has at least one self signing KSK and + * one ZSK per algorithm in it. + */ + for (result = dns_rdataset_first(&rdataset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(&rdataset)) { + dns_rdataset_current(&rdataset, &rdata); + result = dns_rdata_tostruct(&rdata, &dnskey, NULL); + check_result(result, "dns_rdata_tostruct"); + + if ((dnskey.flags & DNS_KEYOWNER_ZONE) == 0) + ; + else if ((dnskey.flags & DNS_KEYFLAG_REVOKE) != 0) { + if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0 && + !dns_dnssec_selfsigns(&rdata, gorigin, &rdataset, + &sigrdataset, ISC_FALSE, + mctx)) { + char namebuf[DNS_NAME_FORMATSIZE]; + char buffer[1024]; + isc_buffer_t buf; + + dns_name_format(gorigin, namebuf, + sizeof(namebuf)); + isc_buffer_init(&buf, buffer, sizeof(buffer)); + result = dns_rdata_totext(&rdata, NULL, &buf); + check_result(result, "dns_rdata_totext"); + fatal("revoked KSK is not self signed:\n" + "%s DNSKEY %.*s", namebuf, + (int)isc_buffer_usedlength(&buf), buffer); + } + if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0 && + revoked[dnskey.algorithm] != 255) + revoked[dnskey.algorithm]++; + } else if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0) { + if (dns_dnssec_selfsigns(&rdata, gorigin, &rdataset, + &sigrdataset, ISC_FALSE, mctx)) { + if (ksk_algorithms[dnskey.algorithm] != 255) + ksk_algorithms[dnskey.algorithm]++; + goodksk = ISC_TRUE; + } else { + if (standby[dnskey.algorithm] != 255) + standby[dnskey.algorithm]++; + } + } else if (dns_dnssec_selfsigns(&rdata, gorigin, &rdataset, + &sigrdataset, ISC_FALSE, + mctx)) { +#ifdef ALLOW_KSKLESS_ZONES + if (self_algorithms[dnskey.algorithm] != 255) + self_algorithms[dnskey.algorithm]++; +#endif + if (zsk_algorithms[dnskey.algorithm] != 255) + zsk_algorithms[dnskey.algorithm]++; + goodzsk = ISC_TRUE; + } else { + if (zsk_algorithms[dnskey.algorithm] != 255) + zsk_algorithms[dnskey.algorithm]++; +#ifdef ALLOW_KSKLESS_ZONES + allzsksigned = ISC_FALSE; +#endif + } + dns_rdata_freestruct(&dnskey); + dns_rdata_reset(&rdata); + } + dns_rdataset_disassociate(&sigrdataset); + + if (!goodksk) { +#ifdef ALLOW_KSKLESS_ZONES + if (!goodzsk) + fatal("no self signing keys found"); + fprintf(stderr, "No self signing KSK found. Using self signed " + "ZSK's for active algorithm list.\n"); + memcpy(ksk_algorithms, self_algorithms, sizeof(ksk_algorithms)); + if (!allzsksigned) + fprintf(stderr, "warning: not all ZSK's are self " + "signed.\n"); +#else + fatal("no self signed KSK's found"); +#endif + } + + fprintf(stderr, "Verifying the zone using the following algorithms:"); + for (i = 0; i < 256; i++) { + if (ksk_algorithms[i] != 0) { + alg_format(i, algbuf, sizeof(algbuf)); + fprintf(stderr, " %s", algbuf); + } + } + fprintf(stderr, ".\n"); + + for (i = 0; i < 256; i++) { + /* + * The counts should both be zero or both be non-zero. + * Mark the algorithm as bad if this is not met. + */ + if ((ksk_algorithms[i] != 0) == (zsk_algorithms[i] != 0)) + continue; + alg_format(i, algbuf, sizeof(algbuf)); + fprintf(stderr, "Missing %s for algorithm %s\n", + (ksk_algorithms[i] != 0) ? "ZSK" : "self signing KSK", + algbuf); + bad_algorithms[i] = 1; + } + + /* + * Check that all the other records were signed by keys that are + * present in the DNSKEY RRSET. + */ + + dns_fixedname_init(&fname); + name = dns_fixedname_name(&fname); + dns_fixedname_init(&fnextname); + nextname = dns_fixedname_name(&fnextname); + dns_fixedname_init(&fzonecut); + zonecut = NULL; + + result = dns_db_createiterator(gdb, DNS_DB_NONSEC3, &dbiter); + check_result(result, "dns_db_createiterator()"); + + result = dns_dbiterator_first(dbiter); + check_result(result, "dns_dbiterator_first()"); + + while (!done) { + isc_boolean_t isdelegation = ISC_FALSE; + + result = dns_dbiterator_current(dbiter, &node, name); + check_dns_dbiterator_current(result); + if (delegation(name, node, NULL)) { + zonecut = dns_fixedname_name(&fzonecut); + dns_name_copy(name, zonecut, NULL); + isdelegation = ISC_TRUE; + } + verifynode(name, node, isdelegation, &rdataset, + ksk_algorithms, bad_algorithms); + result = dns_dbiterator_next(dbiter); + nextnode = NULL; + while (result == ISC_R_SUCCESS) { + result = dns_dbiterator_current(dbiter, &nextnode, + nextname); + check_dns_dbiterator_current(result); + if (!dns_name_issubdomain(nextname, gorigin) || + (zonecut != NULL && + dns_name_issubdomain(nextname, zonecut))) + { + dns_db_detachnode(gdb, &nextnode); + result = dns_dbiterator_next(dbiter); + continue; + } + dns_db_detachnode(gdb, &nextnode); + break; + } + if (result == ISC_R_NOMORE) { + done = ISC_TRUE; + } else if (result != ISC_R_SUCCESS) + fatal("iterating through the database failed: %s", + isc_result_totext(result)); + dns_db_detachnode(gdb, &node); + } + + dns_dbiterator_destroy(&dbiter); + + result = dns_db_createiterator(gdb, DNS_DB_NSEC3ONLY, &dbiter); + check_result(result, "dns_db_createiterator()"); + + for (result = dns_dbiterator_first(dbiter); + result == ISC_R_SUCCESS; + result = dns_dbiterator_next(dbiter) ) { + result = dns_dbiterator_current(dbiter, &node, name); + check_dns_dbiterator_current(result); + verifynode(name, node, ISC_FALSE, &rdataset, + ksk_algorithms, bad_algorithms); + dns_db_detachnode(gdb, &node); + } + dns_dbiterator_destroy(&dbiter); + + dns_rdataset_disassociate(&rdataset); + + /* + * If we made it this far, we have what we consider a properly signed + * zone. Set the good flag. + */ + for (i = 0; i < 256; i++) { + if (bad_algorithms[i] != 0) { + if (first) + fprintf(stderr, "The zone is not fully signed " + "for the following algorithms:"); + alg_format(i, algbuf, sizeof(algbuf)); + fprintf(stderr, " %s", algbuf); + first = ISC_FALSE; + } + } + if (!first) { + fprintf(stderr, ".\n"); + fatal("DNSSEC completeness test failed."); + } + + if (goodksk) { + /* + * Print the success summary. + */ + fprintf(stderr, "Zone signing complete:\n"); + for (i = 0; i < 256; i++) { + if ((zsk_algorithms[i] != 0) || + (ksk_algorithms[i] != 0) || + (revoked[i] != 0) || (standby[i] != 0)) { + alg_format(i, algbuf, sizeof(algbuf)); + fprintf(stderr, "Algorithm: %s: ZSKs: %u, " + "KSKs: %u active, %u revoked, %u " + "stand-by\n", algbuf, + zsk_algorithms[i], ksk_algorithms[i], + revoked[i], standby[i]); + } + } + } +} + /*% * Sign the apex of the zone. * Note the origin may not be the first node if there are out of zone @@ -1265,7 +1712,7 @@ signapex(void) { result = dns_dbiterator_seek(gdbiter, gorigin); check_result(result, "dns_dbiterator_seek()"); result = dns_dbiterator_current(gdbiter, &node, name); - check_result(result, "dns_dbiterator_current()"); + check_dns_dbiterator_current(result); signname(node, name); dumpnode(name, node); cleannode(gdb, gversion, node); @@ -1317,9 +1764,7 @@ assignwork(isc_task_t *task, isc_task_t *worker) { found = ISC_FALSE; while (!found) { result = dns_dbiterator_current(gdbiter, &node, name); - if (result != ISC_R_SUCCESS) - fatal("failure iterating database: %s", - isc_result_totext(result)); + check_dns_dbiterator_current(result); /* * The origin was handled by signapex(). */ @@ -1487,7 +1932,7 @@ add_ds(dns_name_t *name, dns_dbnode_t *node, isc_uint32_t nsttl) { } /*% - * Generate NSEC records for the zone. + * Generate NSEC records for the zone and remove NSEC3/NSEC3PARAM records. */ static void nsecify(void) { @@ -1495,10 +1940,14 @@ nsecify(void) { dns_dbnode_t *node = NULL, *nextnode = NULL; dns_fixedname_t fname, fnextname, fzonecut; dns_name_t *name, *nextname, *zonecut; + dns_rdataset_t rdataset; + dns_rdatasetiter_t *rdsiter = NULL; + dns_rdatatype_t type, covers; isc_boolean_t done = ISC_FALSE; isc_result_t result; isc_uint32_t nsttl = 0; + dns_rdataset_init(&rdataset); dns_fixedname_init(&fname); name = dns_fixedname_name(&fname); dns_fixedname_init(&fnextname); @@ -1506,14 +1955,70 @@ nsecify(void) { dns_fixedname_init(&fzonecut); zonecut = NULL; + /* + * Remove any NSEC3 chains. + */ + result = dns_db_createiterator(gdb, DNS_DB_NSEC3ONLY, &dbiter); + check_result(result, "dns_db_createiterator()"); + for (result = dns_dbiterator_first(dbiter); + result == ISC_R_SUCCESS; + result = dns_dbiterator_next(dbiter)) { + result = dns_dbiterator_current(dbiter, &node, name); + check_dns_dbiterator_current(result); + result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter); + check_result(result, "dns_db_allrdatasets()"); + for (result = dns_rdatasetiter_first(rdsiter); + result == ISC_R_SUCCESS; + result = dns_rdatasetiter_next(rdsiter)) { + dns_rdatasetiter_current(rdsiter, &rdataset); + type = rdataset.type; + covers = rdataset.covers; + dns_rdataset_disassociate(&rdataset); + result = dns_db_deleterdataset(gdb, node, gversion, + type, covers); + check_result(result, + "dns_db_deleterdataset(nsec3param/rrsig)"); + } + dns_rdatasetiter_destroy(&rdsiter); + dns_db_detachnode(gdb, &node); + } + dns_dbiterator_destroy(&dbiter); + result = dns_db_createiterator(gdb, DNS_DB_NONSEC3, &dbiter); check_result(result, "dns_db_createiterator()"); result = dns_dbiterator_first(dbiter); check_result(result, "dns_dbiterator_first()"); + result = dns_dbiterator_current(dbiter, &node, name); + check_dns_dbiterator_current(result); + /* + * Delete any NSEC3PARAM records at the apex. + */ + result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter); + check_result(result, "dns_db_allrdatasets()"); + for (result = dns_rdatasetiter_first(rdsiter); + result == ISC_R_SUCCESS; + result = dns_rdatasetiter_next(rdsiter)) { + dns_rdatasetiter_current(rdsiter, &rdataset); + type = rdataset.type; + covers = rdataset.covers; + dns_rdataset_disassociate(&rdataset); + if (type == dns_rdatatype_nsec3param || + covers == dns_rdatatype_nsec3param) { + result = dns_db_deleterdataset(gdb, node, gversion, + type, covers); + check_result(result, + "dns_db_deleterdataset(nsec3param/rrsig)"); + continue; + } + } + dns_rdatasetiter_destroy(&rdsiter); + dns_db_detachnode(gdb, &node); + while (!done) { - dns_dbiterator_current(dbiter, &node, name); + result = dns_dbiterator_current(dbiter, &node, name); + check_dns_dbiterator_current(result); if (delegation(name, node, &nsttl)) { zonecut = dns_fixedname_name(&fzonecut); dns_name_copy(name, zonecut, NULL); @@ -1526,8 +2031,7 @@ nsecify(void) { isc_boolean_t active = ISC_FALSE; result = dns_dbiterator_current(dbiter, &nextnode, nextname); - if (result != ISC_R_SUCCESS) - break; + check_dns_dbiterator_current(result); active = active_node(nextnode); if (!active) { dns_db_detachnode(gdb, &nextnode); @@ -1560,37 +2064,6 @@ nsecify(void) { dns_dbiterator_destroy(&dbiter); } -/*% - * Does this node only contain NSEC3 records or RRSIG records or is empty. - */ -static isc_boolean_t -nsec3only(dns_dbnode_t *node) { - dns_rdatasetiter_t *rdsiter = NULL; - isc_result_t result; - dns_rdataset_t rdataset; - isc_boolean_t answer = ISC_TRUE; - - dns_rdataset_init(&rdataset); - result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter); - check_result(result, "dns_db_allrdatasets()"); - result = dns_rdatasetiter_first(rdsiter); - while (result == ISC_R_SUCCESS) { - dns_rdatasetiter_current(rdsiter, &rdataset); - if (rdataset.type != dns_rdatatype_nsec3 && - rdataset.type != dns_rdatatype_rrsig) { - answer = ISC_FALSE; - result = ISC_R_NOMORE; - } else - result = dns_rdatasetiter_next(rdsiter); - dns_rdataset_disassociate(&rdataset); - } - if (result != ISC_R_NOMORE) - fatal("rdataset iteration failed: %s", - isc_result_totext(result)); - dns_rdatasetiter_destroy(&rdsiter); - return (answer); -} - static void addnsec3param(const unsigned char *salt, size_t salt_length, unsigned int iterations) @@ -1631,6 +2104,16 @@ addnsec3param(const unsigned char *salt, size_t salt_length, result = dns_db_findnode(gdb, gorigin, ISC_TRUE, &node); check_result(result, "dns_db_find(gorigin)"); + + /* + * Delete any current NSEC3PARAM records. + */ + result = dns_db_deleterdataset(gdb, node, gversion, + dns_rdatatype_nsec3param, 0); + if (result == DNS_R_UNCHANGED) + result = ISC_R_SUCCESS; + check_result(result, "dddnsec3param: dns_db_deleterdataset()"); + result = dns_db_addrdataset(gdb, node, gversion, 0, &rdataset, DNS_DBADD_MERGE, NULL); if (result == DNS_R_UNCHANGED) @@ -1719,6 +2202,7 @@ nsec3clean(dns_name_t *name, dns_dbnode_t *node, isc_buffer_t target; isc_result_t result; unsigned char hash[NSEC3_MAX_HASH_LENGTH + 1]; + isc_boolean_t exists; /* * Get the first label. @@ -1740,8 +2224,7 @@ nsec3clean(dns_name_t *name, dns_dbnode_t *node, hash[isc_buffer_usedlength(&target)] = 0; - if (hashlist_exists(hashlist, hash)) - return; + exists = hashlist_exists(hashlist, hash); /* * Verify that the NSEC3 parameters match the current ones @@ -1756,20 +2239,21 @@ nsec3clean(dns_name_t *name, dns_dbnode_t *node, return; /* - * Delete any matching NSEC3 records which have parameters that - * match the NSEC3 chain we are building. + * Delete any NSEC3 records which are not part of the current + * NSEC3 chain. */ for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; result = dns_rdataset_next(&rdataset)) { dns_rdata_init(&rdata); dns_rdataset_current(&rdataset, &rdata); - dns_rdata_tostruct(&rdata, &nsec3, NULL); - if (nsec3.hash == hashalg && + result = dns_rdata_tostruct(&rdata, &nsec3, NULL); + check_result(result, "dns_rdata_tostruct"); + if (exists && nsec3.hash == hashalg && nsec3.iterations == iterations && nsec3.salt_length == salt_length && !memcmp(nsec3.salt, salt, salt_length)) - break; + continue; rdatalist.rdclass = rdata.rdclass; rdatalist.type = rdata.type; rdatalist.covers = 0; @@ -1783,7 +2267,7 @@ nsec3clean(dns_name_t *name, dns_dbnode_t *node, result = dns_db_subtractrdataset(gdb, node, gversion, &delrdataset, 0, NULL); dns_rdataset_disassociate(&delrdataset); - if (result != ISC_R_SUCCESS && result != DNS_R_UNCHANGED) + if (result != ISC_R_SUCCESS && result != DNS_R_NXRRSET) check_result(result, "dns_db_subtractrdataset(NSEC3)"); delete_rrsigs = ISC_TRUE; } @@ -1814,13 +2298,17 @@ nsec3ify(unsigned int hashalg, unsigned int iterations, dns_dbnode_t *node = NULL, *nextnode = NULL; dns_fixedname_t fname, fnextname, fzonecut; dns_name_t *name, *nextname, *zonecut; + dns_rdataset_t rdataset; + dns_rdatasetiter_t *rdsiter = NULL; + dns_rdatatype_t type, covers; + int order; + isc_boolean_t active; isc_boolean_t done = ISC_FALSE; isc_result_t result; - isc_boolean_t active; isc_uint32_t nsttl = 0; unsigned int count, nlabels; - int order; + dns_rdataset_init(&rdataset); dns_fixedname_init(&fname); name = dns_fixedname_name(&fname); dns_fixedname_init(&fnextname); @@ -1837,15 +2325,41 @@ nsec3ify(unsigned int hashalg, unsigned int iterations, result = dns_dbiterator_first(dbiter); check_result(result, "dns_dbiterator_first()"); + result = dns_dbiterator_current(dbiter, &node, name); + check_dns_dbiterator_current(result); + /* + * Delete any NSEC records at the apex. + */ + result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter); + check_result(result, "dns_db_allrdatasets()"); + for (result = dns_rdatasetiter_first(rdsiter); + result == ISC_R_SUCCESS; + result = dns_rdatasetiter_next(rdsiter)) { + dns_rdatasetiter_current(rdsiter, &rdataset); + type = rdataset.type; + covers = rdataset.covers; + dns_rdataset_disassociate(&rdataset); + if (type == dns_rdatatype_nsec || + covers == dns_rdatatype_nsec) { + result = dns_db_deleterdataset(gdb, node, gversion, + type, covers); + check_result(result, + "dns_db_deleterdataset(nsec3param/rrsig)"); + continue; + } + } + dns_rdatasetiter_destroy(&rdsiter); + dns_db_detachnode(gdb, &node); + while (!done) { - dns_dbiterator_current(dbiter, &node, name); + result = dns_dbiterator_current(dbiter, &node, name); + check_dns_dbiterator_current(result); result = dns_dbiterator_next(dbiter); nextnode = NULL; while (result == ISC_R_SUCCESS) { result = dns_dbiterator_current(dbiter, &nextnode, nextname); - if (result != ISC_R_SUCCESS) - break; + check_dns_dbiterator_current(result); active = active_node(nextnode); if (!active) { dns_db_detachnode(gdb, &nextnode); @@ -1927,6 +2441,26 @@ nsec3ify(unsigned int hashalg, unsigned int iterations, addnsec3param(salt, salt_length, iterations); + /* + * Clean out NSEC3 records which don't match this chain. + */ + result = dns_db_createiterator(gdb, DNS_DB_NSEC3ONLY, &dbiter); + check_result(result, "dns_db_createiterator()"); + + for (result = dns_dbiterator_first(dbiter); + result == ISC_R_SUCCESS; + result = dns_dbiterator_next(dbiter)) { + result = dns_dbiterator_current(dbiter, &node, name); + check_dns_dbiterator_current(result); + nsec3clean(name, node, hashalg, iterations, salt, salt_length, + hashlist); + dns_db_detachnode(gdb, &node); + } + dns_dbiterator_destroy(&dbiter); + + /* + * Generate / complete the new chain. + */ result = dns_db_createiterator(gdb, DNS_DB_NONSEC3, &dbiter); check_result(result, "dns_db_createiterator()"); @@ -1934,25 +2468,16 @@ nsec3ify(unsigned int hashalg, unsigned int iterations, check_result(result, "dns_dbiterator_first()"); while (!done) { - dns_dbiterator_current(dbiter, &node, name); + result = dns_dbiterator_current(dbiter, &node, name); + check_dns_dbiterator_current(result); result = dns_dbiterator_next(dbiter); nextnode = NULL; while (result == ISC_R_SUCCESS) { result = dns_dbiterator_current(dbiter, &nextnode, nextname); - if (result != ISC_R_SUCCESS) - break; - /* - * Cleanout NSEC3 RRsets which don't exist in the - * hash table. - */ - nsec3clean(nextname, nextnode, hashalg, iterations, - salt, salt_length, hashlist); - /* - * Skip NSEC3 only nodes when looking for the next - * node in the zone. Also skips now empty nodes. - */ - if (nsec3only(nextnode)) { + check_dns_dbiterator_current(result); + active = active_node(nextnode); + if (!active) { dns_db_detachnode(gdb, &nextnode); result = dns_dbiterator_next(dbiter); continue; @@ -2098,7 +2623,8 @@ loadzonepubkeys(dns_db_t *db) { dns_rdataset_init(&rdataset); result = dns_db_findrdataset(db, node, currentversion, - dns_rdatatype_dnskey, 0, 0, &rdataset, NULL); + dns_rdatatype_dnskey, 0, 0, &rdataset, + NULL); if (result != ISC_R_SUCCESS) fatal("failed to find keys at the zone apex: %s", isc_result_totext(result)); @@ -2134,7 +2660,7 @@ warnifallksk(dns_db_t *db) { dns_rdataset_t rdataset; dns_rdata_t rdata = DNS_RDATA_INIT; isc_result_t result; - dns_rdata_key_t key; + dns_rdata_dnskey_t dnskey; isc_boolean_t have_non_ksk = ISC_FALSE; dns_db_currentversion(db, ¤tversion); @@ -2146,7 +2672,8 @@ warnifallksk(dns_db_t *db) { dns_rdataset_init(&rdataset); result = dns_db_findrdataset(db, node, currentversion, - dns_rdatatype_dnskey, 0, 0, &rdataset, NULL); + dns_rdatatype_dnskey, 0, 0, &rdataset, + NULL); if (result != ISC_R_SUCCESS) fatal("failed to find keys at the zone apex: %s", isc_result_totext(result)); @@ -2155,21 +2682,27 @@ warnifallksk(dns_db_t *db) { while (result == ISC_R_SUCCESS) { dns_rdata_reset(&rdata); dns_rdataset_current(&rdataset, &rdata); - result = dns_rdata_tostruct(&rdata, &key, NULL); + result = dns_rdata_tostruct(&rdata, &dnskey, NULL); check_result(result, "dns_rdata_tostruct"); - if ((key.flags & DNS_KEYFLAG_KSK) == 0) { + if ((dnskey.flags & DNS_KEYFLAG_KSK) == 0) { have_non_ksk = ISC_TRUE; result = ISC_R_NOMORE; } else result = dns_rdataset_next(&rdataset); + dns_rdata_freestruct(&dnskey); } dns_rdataset_disassociate(&rdataset); dns_db_detachnode(db, &node); dns_db_closeversion(db, ¤tversion, ISC_FALSE); - if (!have_non_ksk && !ignoreksk) - fprintf(stderr, "%s: warning: No non-KSK dnskey found. " - "Supply non-KSK dnskey or use '-z'.\n", - program); + if (!have_non_ksk && !ignoreksk) { + if (disable_zone_check) + fprintf(stderr, "%s: warning: No non-KSK dnskey found. " + "Supply non-KSK dnskey or use '-z'.\n", + program); + else + fatal("No non-KSK dnskey found. " + "Supply non-KSK dnskey or use '-z'."); + } } static void @@ -2343,7 +2876,8 @@ usage(void) { fprintf(stderr, "\t-g:\t"); fprintf(stderr, "generate DS records from keyset files\n"); fprintf(stderr, "\t-s [YYYYMMDDHHMMSS|+offset]:\n"); - fprintf(stderr, "\t\tRRSIG start time - absolute|offset (now - 1 hour)\n"); + fprintf(stderr, "\t\tRRSIG start time - absolute|offset " + "(now - 1 hour)\n"); fprintf(stderr, "\t-e [YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n"); fprintf(stderr, "\t\tRRSIG end time - absolute|from start|from now " "(now + 30 days)\n"); @@ -2351,7 +2885,8 @@ usage(void) { fprintf(stderr, "\t\tcycle interval - resign " "if < interval from end ( (end-start)/4 )\n"); fprintf(stderr, "\t-j jitter:\n"); - fprintf(stderr, "\t\trandomize signature end time up to jitter seconds\n"); + fprintf(stderr, "\t\trandomize signature end time up to jitter " + "seconds\n"); fprintf(stderr, "\t-v debuglevel (0)\n"); fprintf(stderr, "\t-o origin:\n"); fprintf(stderr, "\t\tzone origin (name of zonefile)\n"); @@ -2370,6 +2905,8 @@ usage(void) { fprintf(stderr, "verify generated signatures\n"); fprintf(stderr, "\t-p:\t"); fprintf(stderr, "use pseudorandom data (faster but less secure)\n"); + fprintf(stderr, "\t-P:\t"); + fprintf(stderr, "disable post-sign verification\n"); fprintf(stderr, "\t-t:\t"); fprintf(stderr, "print statistics\n"); fprintf(stderr, "\t-n ncpus (number of cpus present)\n"); @@ -2448,7 +2985,7 @@ main(int argc, char *argv[]) { unsigned char saltbuf[255]; hashlist_t hashlist; -#define CMDLINE_FLAGS "3:aAc:d:e:f:ghH:i:I:j:k:l:m:n:N:o:O:pr:s:StUv:z" +#define CMDLINE_FLAGS "3:aAc:d:e:f:FghH:i:I:j:k:l:m:n:N:o:O:pPr:s:StUv:z" /* * Process memory debugging argument first. @@ -2535,19 +3072,19 @@ main(int argc, char *argv[]) { generateds = ISC_TRUE; break; - case '?': - if (isc_commandline_option != '?') - fprintf(stderr, "%s: invalid argument -%c\n", - program, isc_commandline_option); + case 'H': + iterations = strtoul(isc_commandline_argument, + &endp, 0); + if (*endp != '\0') + fatal("iterations must be numeric"); + if (iterations > 0xffffU) + fatal("iterations too big"); + break; + case 'h': usage(); break; - default: - fprintf(stderr, "%s: unhandled option -%c\n", - program, isc_commandline_option); - exit(1); - case 'i': endp = NULL; cycle = strtol(isc_commandline_argument, &endp, 0); @@ -2567,8 +3104,13 @@ main(int argc, char *argv[]) { fatal("jitter must be numeric and positive"); break; + case 'k': + if (ndskeys == MAXDSKEYS) + fatal("too many key-signing keys specified"); + dskeyfile[ndskeys++] = isc_commandline_argument; + break; + case 'l': - dns_fixedname_init(&dlv_fixed); len = strlen(isc_commandline_argument); isc_buffer_init(&b, isc_commandline_argument, len); isc_buffer_add(&b, len); @@ -2580,12 +3122,6 @@ main(int argc, char *argv[]) { check_result(result, "dns_name_fromtext(dlv)"); break; - case 'k': - if (ndskeys == MAXDSKEYS) - fatal("too many key-signing keys specified"); - dskeyfile[ndskeys++] = isc_commandline_argument; - break; - case 'm': break; @@ -2600,15 +3136,6 @@ main(int argc, char *argv[]) { serialformatstr = isc_commandline_argument; break; - case 'H': - iterations = strtoul(isc_commandline_argument, - &endp, 0); - if (*endp != '\0') - fatal("iterations must be numeric"); - if (iterations > 0xffffU) - fatal("iterations too big"); - break; - case 'o': origin = isc_commandline_argument; break; @@ -2621,6 +3148,10 @@ main(int argc, char *argv[]) { pseudorandom = ISC_TRUE; break; + case 'P': + disable_zone_check = ISC_TRUE; + break; + case 'r': setup_entropy(mctx, isc_commandline_argument, &ectx); break; @@ -2653,6 +3184,21 @@ main(int argc, char *argv[]) { case 'z': ignoreksk = ISC_TRUE; break; + + case 'F': + /* Reserved for FIPS mode */ + /* FALLTHROUGH */ + case '?': + if (isc_commandline_option != '?') + fprintf(stderr, "%s: invalid argument -%c\n", + program, isc_commandline_option); + usage(); + break; + + default: + fprintf(stderr, "%s: unhandled option -%c\n", + program, isc_commandline_option); + exit(1); } } @@ -2743,7 +3289,8 @@ main(int argc, char *argv[]) { else if (strcasecmp(serialformatstr, "unixtime") == 0) serialformat = SOA_SERIAL_UNIXTIME; else - fatal("unknown soa serial format: %s\n", serialformatstr); + fatal("unknown soa serial format: %s\n", + serialformatstr); } result = dns_master_stylecreate(&dsstyle, DNS_STYLEFLAG_NO_TTL, @@ -2769,7 +3316,12 @@ main(int argc, char *argv[]) { "NSEC only DNSKEY"); } + /* + * We need to do this early on, as we start messing with the list + * of keys rather early. + */ ISC_LIST_INIT(keylist); + isc_rwlock_init(&keylist_lock, 0, 0); if (argc == 0) { loadzonekeys(gdb); @@ -2806,6 +3358,7 @@ main(int argc, char *argv[]) { } if (key == NULL) { key = newkeystruct(newkey, ISC_TRUE); + key->commandline = ISC_TRUE; ISC_LIST_APPEND(keylist, key, link); } else dst_key_free(&newkey); @@ -2856,8 +3409,11 @@ main(int argc, char *argv[]) { } if (ISC_LIST_EMPTY(keylist)) { - fprintf(stderr, "%s: warning: No keys specified or found\n", - program); + if (disable_zone_check) + fprintf(stderr, "%s: warning: No keys specified " + "or found\n", program); + else + fatal("No signing keys specified or found."); nokeys = ISC_TRUE; } @@ -2972,6 +3528,7 @@ main(int argc, char *argv[]) { isc_taskmgr_destroy(&taskmgr); isc_mem_put(mctx, tasks, ntasks * sizeof(isc_task_t *)); postsign(); + verifyzone(); if (outputformat != dns_masterformat_text) { result = dns_master_dumptostream2(mctx, gdb, gversion, diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.docbook b/contrib/bind9/bin/dnssec/dnssec-signzone.docbook index 7ed320ad5754..f204fcd60d75 100644 --- a/contrib/bind9/bin/dnssec/dnssec-signzone.docbook +++ b/contrib/bind9/bin/dnssec/dnssec-signzone.docbook @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dnssec-signzone.docbook,v 1.31.44.6 2009/06/09 01:47:19 each Exp $ --> +<!-- $Id: dnssec-signzone.docbook,v 1.31.44.8 2009/11/06 21:36:22 each Exp $ --> <refentry id="man.dnssec-signzone"> <refentryinfo> <date>June 08, 2009</date> @@ -73,6 +73,7 @@ <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg> <arg><option>-O <replaceable class="parameter">output-format</replaceable></option></arg> <arg><option>-p</option></arg> + <arg><option>-P</option></arg> <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg> <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg> <arg><option>-t</option></arg> @@ -91,10 +92,10 @@ <para><command>dnssec-signzone</command> signs a zone. It generates NSEC and RRSIG records and produces a signed version of the - zone. The security status of delegations from the signed zone - (that is, whether the child zones are secure or not) is - determined by the presence or absence of a - <filename>keyset</filename> file for each child zone. + zone. It also generates a <filename>keyset-</filename> file containing + the key-signing keys for the zone, and if signing a zone which + contains delegations, it can optionally generate DS records for + the child zones from their <filename>keyset-</filename> files. </para> </refsect1> @@ -154,8 +155,10 @@ <term>-g</term> <listitem> <para> - Generate DS records for child zones from keyset files. - Existing DS records will be removed. + If the zone contains any delegations, and there are + <filename>keyset-</filename> files for any of the child zones, + then DS records for the child zones will be generated from the + keys in those files. Existing DS records will be removed. </para> </listitem> </varlistentry> @@ -360,6 +363,22 @@ </varlistentry> <varlistentry> + <term>-P</term> + <listitem> + <para> + Disable post sign verification tests. + </para> + <para> + The post sign verification test ensures that for each algorithm + in use there is at least one non revoked self signed KSK key, + that all revoked KSK keys are self signed, and that all records + in the zone are signed by the algorithm. + This option skips these tests. + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>-r <replaceable class="parameter">randomdev</replaceable></term> <listitem> <para> diff --git a/contrib/bind9/bin/dnssec/dnssec-signzone.html b/contrib/bind9/bin/dnssec/dnssec-signzone.html index 652d5c4355f2..e7c534f9094b 100644 --- a/contrib/bind9/bin/dnssec/dnssec-signzone.html +++ b/contrib/bind9/bin/dnssec/dnssec-signzone.html @@ -2,7 +2,7 @@ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC") - Copyright (C) 2000-2003 Internet Software Consortium. - - - Permission to use, copy, modify, and distribute this software for any + - Permission to use, copy, modify, and/or distribute this software for any - purpose with or without fee is hereby granted, provided that the above - copyright notice and this permission notice appear in all copies. - @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dnssec-signzone.html,v 1.33.44.4.8.1 2009/12/31 23:17:46 tbox Exp $ --> +<!-- $Id: dnssec-signzone.html,v 1.33.44.8 2009/11/07 01:56:11 tbox Exp $ --> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> @@ -29,21 +29,21 @@ </div> <div class="refsynopsisdiv"> <h2>Synopsis</h2> -<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div> +<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code> [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-P</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div> </div> <div class="refsect1" lang="en"> -<a name="id2543554"></a><h2>DESCRIPTION</h2> +<a name="id2543558"></a><h2>DESCRIPTION</h2> <p><span><strong class="command">dnssec-signzone</strong></span> signs a zone. It generates NSEC and RRSIG records and produces a signed version of the - zone. The security status of delegations from the signed zone - (that is, whether the child zones are secure or not) is - determined by the presence or absence of a - <code class="filename">keyset</code> file for each child zone. + zone. It also generates a <code class="filename">keyset-</code> file containing + the key-signing keys for the zone, and if signing a zone which + contains delegations, it can optionally generate DS records for + the child zones from their <code class="filename">keyset-</code> files. </p> </div> <div class="refsect1" lang="en"> -<a name="id2543569"></a><h2>OPTIONS</h2> +<a name="id2543576"></a><h2>OPTIONS</h2> <div class="variablelist"><dl> <dt><span class="term">-a</span></dt> <dd><p> @@ -70,8 +70,10 @@ </p></dd> <dt><span class="term">-g</span></dt> <dd><p> - Generate DS records for child zones from keyset files. - Existing DS records will be removed. + If the zone contains any delegations, and there are + <code class="filename">keyset-</code> files for any of the child zones, + then DS records for the child zones will be generated from the + keys in those files. Existing DS records will be removed. </p></dd> <dt><span class="term">-s <em class="replaceable"><code>start-time</code></em></span></dt> <dd><p> @@ -202,6 +204,19 @@ may be useful when signing large zones or when the entropy source is limited. </p></dd> +<dt><span class="term">-P</span></dt> +<dd> +<p> + Disable post sign verification tests. + </p> +<p> + The post sign verification test ensures that for each algorithm + in use there is at least one non revoked self signed KSK key, + that all revoked KSK keys are self signed, and that all records + in the zone are signed by the algorithm. + This option skips these tests. + </p> +</dd> <dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt> <dd><p> Specifies the source of randomness. If the operating @@ -258,7 +273,7 @@ </dl></div> </div> <div class="refsect1" lang="en"> -<a name="id2544407"></a><h2>EXAMPLE</h2> +<a name="id2544503"></a><h2>EXAMPLE</h2> <p> The following command signs the <strong class="userinput"><code>example.com</code></strong> zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span> @@ -287,7 +302,7 @@ db.example.com.signed %</pre> </div> <div class="refsect1" lang="en"> -<a name="id2544458"></a><h2>KNOWN BUGS</h2> +<a name="id2544554"></a><h2>KNOWN BUGS</h2> <p> <span><strong class="command">dnssec-signzone</strong></span> was designed so that it could sign a zone partially, using only a subset of the DNSSEC keys @@ -312,14 +327,14 @@ db.example.com.signed </p> </div> <div class="refsect1" lang="en"> -<a name="id2544484"></a><h2>SEE ALSO</h2> +<a name="id2544716"></a><h2>SEE ALSO</h2> <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, <em class="citetitle">BIND 9 Administrator Reference Manual</em>, <em class="citetitle">RFC 4033</em>. </p> </div> <div class="refsect1" lang="en"> -<a name="id2544645"></a><h2>AUTHOR</h2> +<a name="id2544741"></a><h2>AUTHOR</h2> <p><span class="corpauthor">Internet Systems Consortium</span> </p> </div> diff --git a/contrib/bind9/bin/dnssec/dnssectool.c b/contrib/bind9/bin/dnssec/dnssectool.c index b89d76945b89..3a6b7f024b65 100644 --- a/contrib/bind9/bin/dnssec/dnssectool.c +++ b/contrib/bind9/bin/dnssec/dnssectool.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssectool.c,v 1.45.334.4 2009/06/08 23:47:00 tbox Exp $ */ +/* $Id: dnssectool.c,v 1.45.334.5 2009/06/22 05:05:00 marka Exp $ */ /*! \file */ @@ -65,7 +65,7 @@ void fatal(const char *format, ...) { va_list args; - fprintf(stderr, "%s: ", program); + fprintf(stderr, "%s: fatal: ", program); va_start(args, format); vfprintf(stderr, format, args); va_end(args); diff --git a/contrib/bind9/bin/dnssec/dnssectool.h b/contrib/bind9/bin/dnssec/dnssectool.h index ee476f4ea78b..43b7375b26ea 100644 --- a/contrib/bind9/bin/dnssec/dnssectool.h +++ b/contrib/bind9/bin/dnssec/dnssectool.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2004, 2007, 2008 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2004, 2007-2009 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2000, 2001, 2003 Internet Software Consortium. * * Permission to use, copy, modify, and/or distribute this software for any @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssectool.h,v 1.22 2008/09/25 04:02:38 tbox Exp $ */ +/* $Id: dnssectool.h,v 1.22.48.2 2009/09/04 23:46:58 tbox Exp $ */ #ifndef DNSSECTOOL_H #define DNSSECTOOL_H 1 @@ -45,7 +45,7 @@ type_format(const dns_rdatatype_t type, char *cp, unsigned int size); void alg_format(const dns_secalg_t alg, char *cp, unsigned int size); -#define ALG_FORMATSIZE 10 +#define ALG_FORMATSIZE 20 void sig_format(dns_rdata_rrsig_t *sig, char *cp, unsigned int size); |