dnssec-signzone.c revision 253f774e358dba38742a484426a4cadf4f248817
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont * Portions Copyright (C) 1999, 2000 Internet Software Consortium.
6825f304c5f0cc2d4ba22fa2b6f7a431f9c1de59Tinderbox User * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User * Permission to use, copy, modify, and distribute this software for any
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User * purpose with or without fee is hereby granted, provided that the above
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User * copyright notice and this permission notice appear in all copies.
d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM AND
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont * NETWORK ASSOCIATES DISCLAIM ALL WARRANTIES WITH REGARD TO THIS
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont * SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont * FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE CONSORTIUM OR NETWORK
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User * ASSOCIATES BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User * PERFORMANCE OF THIS SOFTWARE.
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont/* $Id: dnssec-signzone.c,v 1.120 2000/12/11 22:55:25 bwelling Exp $ */
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Duponttypedef struct signer_key_struct signer_key_t;
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont#define SIGNER_EVENTCLASS ISC_EVENTCLASS(0x4453)
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont#define SIGNER_EVENT_WRITE (SIGNER_EVENTCLASS + 0)
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont#define SIGNER_EVENT_WORK (SIGNER_EVENTCLASS + 1)
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox Userstatic unsigned int keycount = 0;
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox Userstatic isc_stdtime_t starttime = 0, endtime = 0, now;
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupontstatic const dns_master_style_t *masterstyle = &dns_master_style_explicitttl;
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupontstatic unsigned int nsigned = 0, nretained = 0, ndropped = 0;
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox Userstatic unsigned int nverified = 0, nverifyfailed = 0;
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupontstatic const char *directory;
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupontstatic dns_dbversion_t *gversion; /* The database version */
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupontstatic dns_dbiterator_t *gdbiter; /* The database iterator */
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox Userstatic dns_name_t *gorigin; /* The database origin */
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupontstatic dns_dbnode_t *gnode = NULL; /* The "current" database node */
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox Userstatic unsigned int ntasks = 0;
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupontstatic isc_boolean_t shuttingdown = ISC_FALSE, finished = ISC_FALSE;
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupontstatic unsigned int assigned = 0, completed = 0;
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupontstatic inline void
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox Userset_bit(unsigned char *array, unsigned int index, unsigned int bit) {
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupontnewkeystruct(dst_key_t *dstkey, isc_boolean_t isdefault) {
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User key = isc_mem_get(mctx, sizeof(signer_key_t));
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupontsignwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdata_t *rdata,
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont result = dns_dnssec_sign(name, rdataset, key, &starttime, &endtime,
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont result = dns_dnssec_verify(name, rdataset, key,
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont vbprintf(3, "\tsignature failed to verify\n");
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont return (ISC_TF(dns_name_equal(dst_key_name(key->key), gorigin) &&
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont * Finds the key that generated a SIG, if possible. First look at the keys
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User * that we've loaded already, and then see if there's a key on disk.
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont dns_name_equal(&sig->signer, dst_key_name(key->key)))
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont result = dst_key_fromfile(&sig->signer, sig->keyid, sig->algorithm,
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont result = dst_key_fromfile(&sig->signer, sig->keyid, sig->algorithm,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User * Check to see if we expect to find a key at this name. If we see a SIG
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont * and can't find the signing key that we expect to find, we drop the sig.
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont * I'm not sure if this is completely correct, but it seems to work.
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont result = dns_db_find(gdb, name, gversion, dns_rdatatype_key, options,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User 0, NULL, dns_fixedname_name(&fname), NULL, NULL);
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User dns_name_format(name, namestr, sizeof namestr);
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont fatal("failure looking for '%s KEY' in database: %s",
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupontsetverifies(dns_name_t *name, dns_rdataset_t *set, signer_key_t *key,
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont result = dns_dnssec_verify(name, set, key->key, ISC_FALSE, mctx, sig);
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont * Signs a set. Goes through contortions to decide if each SIG should
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User * be dropped or retained, and then determines if any new SIGs need to
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont * be generated.
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupontsignset(dns_diff_t *diff, dns_dbnode_t *node, dns_name_t *name,
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont dns_name_format(name, namestr, sizeof namestr);
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User type_format(set->type, typestr, sizeof typestr);
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont ttl = ISC_MIN(set->ttl, endtime - starttime);
1879ff49326b49a9e4eadaca193c631409bf8575Tinderbox User result = dns_db_findrdataset(gdb, node, gversion, dns_rdatatype_sig,
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont fatal("failed while looking for '%s SIG %s': %s",
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User namestr, typestr, isc_result_totext(result));
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont wassignedby = isc_mem_get(mctx, arraysize * sizeof(isc_boolean_t));
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont nowsignedby = isc_mem_get(mctx, arraysize * sizeof(isc_boolean_t));
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont if (wassignedby == NULL || nowsignedby == NULL)
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User for (i = 0; i < arraysize; i++)
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont isc_boolean_t keep = ISC_FALSE, resign = ISC_FALSE;
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont expired = ISC_TF(now + cycle > sig.timeexpire);
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont /* sig is dropped and not replaced */
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont "invalid validity period\n",
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont /* sig is dropped and not replaced */
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont "private key not found\n",
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont vbprintf(2, "\tsig by %s %s - key not found\n",
6825f304c5f0cc2d4ba22fa2b6f7a431f9c1de59Tinderbox User if (!expired && setverifies(name, set, key, &sigrdata))
6825f304c5f0cc2d4ba22fa2b6f7a431f9c1de59Tinderbox User vbprintf(2, "\tsig by %s retained\n", sigstr);
e285c11870c6263cd79b418e104c7eb3e2d96952Tinderbox User "failed to verify");
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont if (!expired && setverifies(name, set, key, &sigrdata))
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont vbprintf(2, "\tsig by %s retained\n", sigstr);
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont "failed to verify");
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont } else if (!expired) {
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User vbprintf(2, "\tsig by %s retained\n", sigstr);
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont vbprintf(2, "\tsig by %s expired\n", sigstr);
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont result = dns_difftuple_create(mctx, DNS_DIFFOP_DEL,
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont check_result(result, "dns_difftuple_create");
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User vbprintf(1, "\tresigning with key %s\n", keystr);
7768b049c0b39662baca604ec32b32c6480f8dc6Francis Dupont signwithkey(name, set, &trdata, key->key, &b);
&tuple);
isc_buffer_t b;
&tuple);
static isc_boolean_t
return (ISC_TRUE);
return (ISC_FALSE);
isc_buffer_t b;
if (isc_buffer_availablelength(&b) == 0) {
isc_buffer_putuint8(&b, 0);
goto failure;
goto failure;
goto failure;
goto failure;
goto failure;
static isc_boolean_t
return (ISC_FALSE);
goto failure;
goto failure;
goto failure;
goto failure;
goto failure;
return (found);
isc_buffer_t b;
static int warnwild = 0;
if (warnwild++ == 0) {
program);
if (!atorigin) {
NULL);
if (isdelegation) {
NULL);
} else if (childkey) {
if (neednullkey)
goto skip;
goto skip;
if (isdelegation) {
goto skip;
if (!nokeys)
if (neednullkey)
skip:
static inline isc_boolean_t
if (!active)
if (!active) {
dns_rdatatype_nxt, 0);
return (active);
static inline isc_result_t
if (!active) {
return (result);
static inline isc_result_t
return (ISC_R_SUCCESS);
return (result);
static dns_ttl_t
soattl(void) {
return (ttl);
if (destroy) {
covers);
presign(void) {
postsign(void) {
static isc_result_t
goto out;
&rdsiter);
sizeof(dns_name_t));
out:
return (result);
assigned++;
completed++;
isc_buffer_t b;
int len;
unsigned int nkeys, i;
for (i = 0; i < nkeys; i++) {
&pubkey);
goto next;
goto next;
next:
usage(void) {
exit(0);
int i, ch;
char *endp;
unsigned int eflags;
switch (ch) {
usage();
if (!pseudorandom)
if (ntasks == 0)
usage();
if (argc == 0) {
for (i = 0; i < argc; i++) {
usage();
argv[i]);
program);
for (i = 0; i < (int)ntasks; i++) {
if (printstats)
presign();
(void)isc_app_run();
if (!finished)
for (i = 0; i < (int)ntasks; i++)
postsign();
if (printstats)
if (free_output)
(void) isc_app_finish();
if (printstats) {
nsigned);
ndropped);