dnssec-signzone.c revision 653a78de956fc92049c6ec15a654b65a61aea2a1
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews * Portions Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
499b34cea04a46823d003d4c0520c8b03e8513cbBrian Wellington * Portions Copyright (C) 1999-2003 Internet Software Consortium.
dfed970f63d5085c24ae95a34998e3411e05806fMark Andrews * Permission to use, copy, modify, and/or distribute this software for any
dfed970f63d5085c24ae95a34998e3411e05806fMark Andrews * purpose with or without fee is hereby granted, provided that the above
dfed970f63d5085c24ae95a34998e3411e05806fMark Andrews * copyright notice and this permission notice appear in all copies.
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
dfed970f63d5085c24ae95a34998e3411e05806fMark Andrews * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
821644d49b73b49f2abc5463bc53a3132f612478Mark Andrews * Permission to use, copy, modify, and/or distribute this software for any
821644d49b73b49f2abc5463bc53a3132f612478Mark Andrews * purpose with or without fee is hereby granted, provided that the above
dfed970f63d5085c24ae95a34998e3411e05806fMark Andrews * copyright notice and this permission notice appear in all copies.
dfed970f63d5085c24ae95a34998e3411e05806fMark Andrews * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
f333ea9bdd3f85b74ae790e6c8ce2684295b3483Andreas Gustafsson * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
4f37905cc38162128a507e619e38ae535720686bAndreas Gustafsson * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
dfed970f63d5085c24ae95a34998e3411e05806fMark Andrews * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
dfed970f63d5085c24ae95a34998e3411e05806fMark Andrews * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
dfed970f63d5085c24ae95a34998e3411e05806fMark Andrews * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
5a77e9620a0b2f7417469c98be374de49d0eccc6Andreas Gustafsson * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
dfed970f63d5085c24ae95a34998e3411e05806fMark Andrews/* $Id: dnssec-signzone.c,v 1.280 2011/10/11 19:26:05 each Exp $ */
#include "dnssectool.h"
#ifndef PATH_MAX
int verbose;
#define SOA_SERIAL_KEEP 0
struct signer_event {
static unsigned int keycount = 0;
static int jitter = 0;
static int nsec3flags = 0;
static unsigned int ntasks = 0;
static unsigned int hash_length = 0;
if (printstats) { \
counter++; \
isc_region_t r;
if (!output_dnssec_only) {
isc_buffer_t b;
if (tryverify) {
&tuple);
static inline isc_boolean_t
static inline isc_boolean_t
static inline isc_boolean_t
static inline isc_boolean_t
static inline isc_boolean_t
static dns_dnsseckey_t *
return (key);
return (NULL);
static dns_dnsseckey_t *
return (key);
return (key);
return (NULL);
return (key);
static isc_boolean_t
switch (result) {
case ISC_R_SUCCESS:
case DNS_R_NXDOMAIN:
case DNS_R_NXRRSET:
return (ISC_TRUE);
case DNS_R_DELEGATION:
case DNS_R_CNAME:
case DNS_R_DNAME:
return (ISC_FALSE);
static inline isc_boolean_t
return (ISC_TRUE);
return (ISC_FALSE);
int arraysize;
if (!nosigs)
for (i = 0; i < arraysize; i++)
if (nosigs)
sigstr);
sigstr);
sigstr);
} else if (!expired) {
if (keep) {
&sigrdata,
&tuple);
&sigrdata,
&tuple);
if (resign) {
struct hashlist {
unsigned char *hashbuf;
l->entries = 0;
if (nodes != 0) {
l->size = 0;
l->size = 0;
l->entries++;
unsigned int len;
size_t i;
if (verbose) {
for (i = 0 ; i < len; i++)
hashlist_comp(const void *a, const void *b) {
static isc_boolean_t
unsigned char *current;
entries--;
return (ISC_TRUE);
return (ISC_FALSE);
return (next);
static isc_boolean_t
return (ISC_TRUE);
return (ISC_FALSE);
if (verbose) {
ISC_TRUE);
isc_buffer_t b;
if (isc_buffer_availablelength(&b) == 0) {
isc_buffer_putuint8(&b, 0);
static isc_result_t
dns_rdatatype_ds, 0, 0,
return (result);
return (ISC_R_NOTFOUND);
return (result);
return (result);
return (result);
static isc_boolean_t
return (ISC_FALSE);
static isc_boolean_t
return (ISC_FALSE);
goto skip;
if (isdelegation) {
goto skip;
namebuf);
skip:
static inline isc_boolean_t
if (!active)
covers);
if (!found) {
covers);
return (active);
get_soa_ttls(void) {
static isc_result_t
return result;
goto cleanup;
if (serial) {
if (new_serial == 0)
dns_rdatatype_soa, 0);
goto cleanup;
goto cleanup;
return (result);
if (destroy) {
covers);
presign(void) {
postsign(void) {
static isc_boolean_t
&dstkey);
return (ISC_FALSE);
return(ISC_TRUE);
return (ISC_FALSE);
unsigned char *bad_algorithms)
if (ksk_algorithms[i] != 0)
if ((ksk_algorithms[i] != 0) &&
(set_algorithms[i] == 0)) {
unsigned char *bad_algorithms)
verifyzone(void) {
if (disable_zone_check)
mctx)) {
sizeof(namebuf));
mctx)) {
if (!goodksk)
if (ksk_algorithms[i] != 0) {
if ((ksk_algorithms[i] != 0) ==
(zsk_algorithms[i] != 0))
(ksk_algorithms[i] != 0)
algbuf);
while (!done) {
nextname);
if (bad_algorithms[i] != 0) {
if (first)
if (!first) {
if ((ksk_algorithms[i] != 0) ||
(standby_ksk[i] != 0) ||
(revoked_zsk[i] != 0) ||
(zsk_algorithms[i] != 0) ||
(standby_zsk[i] != 0) ||
(revoked_zsk[i] != 0)) {
zsk_algorithms[i],
standby_zsk[i],
revoked_zsk[i]);
signapex(void) {
if (shuttingdown)
if (finished) {
ended++;
goto unlock;
while (!found) {
goto next;
nsec_datatype, 0, 0,
if (!found) {
next:
if (!found) {
ended++;
goto unlock;
dns_rdatatype_ds, 0);
* Generate NSEC records for the zone and remove NSEC3/NSEC3PARAM records.
nsecify(void) {
"dns_db_deleterdataset(nsec3param/rrsig)");
while (!done) {
if (generateds)
nextname);
if (!active) {
unsigned int iterations)
isc_buffer_t b;
&nsec3param, &b);
const unsigned char *nexthash;
0, NULL);
if (!delete_rrsigs)
unsigned int count1 = 0;
unsigned int count2 = 0;
count1++;
count2++;
name,
remove_duplicates(void) {
int order;
while (!done) {
nextname);
if (!active) {
if (generateds)
count--;
hashlist);
while (!done) {
nextname);
if (!active) {
count--;
isc_buffer_t b;
int len;
dns_rdatatype_soa, 0, 0,
goto cleanup;
dns_rdatatype_dnskey, 0, 0,
goto cleanup;
keyttl);
&keylist);
keyfiles[i]);
if (setksk)
NULL);
if (disable_zone_check)
program);
&orig_saltlen);
goto cleanup;
} else if (!set_salt) {
} else if (!set_iter)
goto cleanup;
goto cleanup;
} else if (!set_optout)
char *filename;
isc_buffer_t b;
isc_region_t r;
unsigned int filenamelen;
filename[0] = 0;
unsigned int labels;
isc_buffer_usedregion(&b, &r);
ISC_PLATFORM_NORETURN_PRE static void
usage(void) {
#ifdef USE_PKCS11
exit(0);
removetempfile(void) {
if (removefile)
if (time_us > 0) {
int i, ch;
int ndskeys = 0;
char *endp;
#ifdef USE_PKCS11
unsigned int eflags;
int tempfilelen;
isc_buffer_t b;
int len;
#define CMDLINE_FLAGS \
switch (ch) {
switch (ch) {
char *sarg;
sizeof(saltbuf));
usage();
NULL);
usage();
if (!pseudorandom)
if (ntasks == 0)
usage();
get_soa_ttls();
if (!set_keyttl)
if (IS_NSEC3) {
program);
else if (answer)
if (smartsign)
if (keycount == 0) {
if (disable_zone_check)
if (IS_NSEC3) {
unsigned int max;
switch (serialformat) {
case SOA_SERIAL_INCREMENT:
setsoaserial(0);
case SOA_SERIAL_UNIXTIME:
case SOA_SERIAL_KEEP:
if (IS_NSEC3)
&hashlist);
nsecify();
if (!nokeys) {
if (make_keyset)
for (i = 0; i < (int)ntasks; i++) {
if (printstats)
presign();
signapex();
if (!finished) {
for (i = 0; i < (int)ntasks; i++) {
tasks[i]);
(void)isc_app_run();
if (!finished)
for (i = 0; i < (int)ntasks; i++)
postsign();
verifyzone();
fp);
if (printstats)
if (free_output)
(void) isc_app_finish();
if (printstats) {