dnssec-signzone.c revision cdde861f12093487c09122ca740d44a4c570c683
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews * Portions Copyright (C) 1999, 2000 Internet Software Consortium.
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
7c74e180c206e6ed99e8beb820da5f399d845c3eDavid Lawrence * Permission to use, copy, modify, and distribute this software for any
7c74e180c206e6ed99e8beb820da5f399d845c3eDavid Lawrence * purpose with or without fee is hereby granted, provided that the above
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence * copyright notice and this permission notice appear in all copies.
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM AND
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews * NETWORK ASSOCIATES DISCLAIM ALL WARRANTIES WITH REGARD TO THIS
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews * SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews * FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE CONSORTIUM OR NETWORK
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews * ASSOCIATES BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews * CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
9c3531d72aeaad6c5f01efe6a1c82023e1379e4dDavid Lawrence * USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
866d106459313499d0ca7bfccb4b2d23d5e4377cDavid Lawrence * OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
74cb99072c4b0ebd2ccafcfa284288fa760f7a1aMark Andrews * PERFORMANCE OF THIS SOFTWARE.
7c74e180c206e6ed99e8beb820da5f399d845c3eDavid Lawrence/* $Id: dnssec-signzone.c,v 1.90 2000/08/10 22:08:23 bwelling Exp $ */
11dbf2fc38eea8c5d3fe7123718bf197a8bb2e6bMark Andrews/*#define USE_ZONESTATUS*/
03e200df5dc283f24a6a349f0b31d3eab26da893Mark Andrewstypedef struct signer_array_struct signer_array_t;
91306d962f9d147d94b82fb14edb28f8d907cae7Andreas Gustafssonstatic isc_stdtime_t starttime = 0, endtime = 0, now;
91306d962f9d147d94b82fb14edb28f8d907cae7Andreas Gustafssonstatic isc_boolean_t tryverify = ISC_FALSE;
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrencestatic const dns_master_style_t *masterstyle = &dns_master_style_explicitttl;
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrencestatic inline void
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrenceset_bit(unsigned char *array, unsigned int index, unsigned int bit) {
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halleysignwithkey(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdata_t *rdata,
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley result = dns_dnssec_sign(name, rdataset, key, &starttime, &endtime,
3ecf3394e37dc2848a09ffc643565d454e9e6974Andreas Gustafsson fatal("key '%s/%s/%d' failed to sign data: %s",
3ecf3394e37dc2848a09ffc643565d454e9e6974Andreas Gustafsson nametostr(dst_key_name(key)), algtostr(dst_key_alg(key)),
a27fe4c990f96bd792f2a07ca4d38c78d5b9df2cTatuya JINMEI 神明達哉 dst_key_id(key), isc_result_totext(result));
3ecf3394e37dc2848a09ffc643565d454e9e6974Andreas Gustafsson result = dns_dnssec_verify(name, rdataset, key,
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence vbprintf(3, "\tsignature failed to verify\n");
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence return (ISC_TF(dns_name_equal(dst_key_name(key->key),
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence * Finds the key that generated a SIG, if possible. First look at the keys
ae4cbb69eef32ced103fe4561e8d2031ee4c3497David Lawrence * that we've loaded already, and then see if there's a key on disk.
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews dns_name_equal(&sig->signer, dst_key_name(key->key)))
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence result = dst_key_fromfile(&sig->signer, sig->keyid, sig->algorithm,
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence key = isc_mem_get(mctx, sizeof(signer_key_t));
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews result = dst_key_fromfile(&sig->signer, sig->keyid, sig->algorithm,
0293ad13207aa29bd5844cdc87d085ffc009d749David Lawrence * Check to see if we expect to find a key at this name. If we see a SIG
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence * and can't find the signing key that we expect to find, we drop the sig.
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence * I'm not sure if this is completely correct, but it seems to work.
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrenceexpecttofindkey(dns_name_t *name, dns_db_t *db, dns_dbversion_t *version) {
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff result = dns_db_find(db, name, version, dns_rdatatype_key, options,
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff 0, NULL, dns_fixedname_name(&fname), NULL, NULL);
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence fatal("failure looking for '%s KEY' in database: %s",
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrencesetverifies(dns_name_t *name, dns_rdataset_t *set, signer_key_t *key,
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence result = dns_dnssec_verify(name, set, key->key, ISC_FALSE, mctx, sig);
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff trdata = isc_mem_get(mctx, sizeof(dns_rdata_t)); \
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff tdata = isc_mem_get(mctx, sizeof(signer_array_t)); \
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff isc_buffer_init(&b, tdata->array, sizeof(tdata->array));
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson * Signs a set. Goes through contortions to decide if each SIG should
641da3ca1184d9951d5cf91538524a345bf5f271Mark Andrews * be dropped or retained, and then determines if any new SIGs need to
641da3ca1184d9951d5cf91538524a345bf5f271Mark Andrews * be generated.
641da3ca1184d9951d5cf91538524a345bf5f271Mark Andrewssignset(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
9fe28a624c659e380d47dbf45527637dab03b998Mark Andrews isc_boolean_t notsigned = ISC_TRUE, nosigs = ISC_FALSE;
323a9f3430abf186f8f84d795549391a8ed7f274Francis Dupont isc_boolean_t wassignedby[256], nowsignedby[256];
774c3a62d9adca187b44fe90919bb409a43a2f2aMark Andrews for (i = 0; i < 256; i++)
774c3a62d9adca187b44fe90919bb409a43a2f2aMark Andrews result = dns_db_findrdataset(db, node, version, dns_rdatatype_sig,
d7896edb4e93c4785a9281ea86afba86b758e813Mark Andrews fatal("failed while looking for '%s SIG %s': %s",
d7896edb4e93c4785a9281ea86afba86b758e813Mark Andrews vbprintf(1, "%s/%s:\n", nametostr(name), typetostr(set->type));
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson isc_boolean_t keep = ISC_FALSE, resign = ISC_FALSE;
6342df69b05f2f62d060fd4affdf536e51504084Mark Andrews dns_rdataset_current(&oldsigset, &oldsigrdata);
6342df69b05f2f62d060fd4affdf536e51504084Mark Andrews result = dns_rdata_tostruct(&oldsigrdata, &sig, mctx);
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson expired = ISC_TF(now + cycle > sig.timeexpire);
6fcb2f0faad67a6d2cb2e30ec57157d75fbfe58fAndreas Gustafsson /* sig is dropped and not replaced */
38cd4d14cc341c2663e574035074788bb6f0fce2Evan Hunt "invalid validity period\n",
6fcb2f0faad67a6d2cb2e30ec57157d75fbfe58fAndreas Gustafsson expecttofindkey(&sig.signer, db, version))
6fcb2f0faad67a6d2cb2e30ec57157d75fbfe58fAndreas Gustafsson /* sig is dropped and not replaced */
6fcb2f0faad67a6d2cb2e30ec57157d75fbfe58fAndreas Gustafsson vbprintf(2, "\tsig by %s/%s/%d dropped - "
47fd46791da765e3dbedd987e9b263b3bee25986Brian Wellington "private key not found\n",
47fd46791da765e3dbedd987e9b263b3bee25986Brian Wellington "key not found\n",
43fe2897fc80bbec2115310ca79d432a252f3ea4Mark Andrews "\tsig by %s/%s/%d retained\n",
43fe2897fc80bbec2115310ca79d432a252f3ea4Mark Andrews "\tsig by %s/%s/%d dropped - "
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson "failed to verify");
debd489a44363870f96f75818e89ec27d3cab736Francis Dupont "\tsig by %s/%s/%d retained\n",
debd489a44363870f96f75818e89ec27d3cab736Francis Dupont "\tsig by %s/%s/%d "
debd489a44363870f96f75818e89ec27d3cab736Francis Dupont "dropped - %s\n",
40dd9cb8cc240c33d820fe79f176ed51e4c06a1aMark Andrews "failed to verify");
386d3a99c190bad55edf44d076e6bd087e230ab8Tatuya JINMEI 神明達哉 signwithkey(name, set, trdata, key->key, &b);
386d3a99c190bad55edf44d076e6bd087e230ab8Tatuya JINMEI 神明達哉 ISC_LIST_APPEND(siglist.rdata, trdata, link);
3dfa202e4fea6b985bcf8761e2d11c176baa40d1Mark Andrews check_result(result, "dns_db_dns_rdataset_first()/next()");
ddb35cf2f301ae1c3fa601792034f6d349efc8c5Mark Andrews for (i = 0; i < 256; i++)
3dfa202e4fea6b985bcf8761e2d11c176baa40d1Mark Andrews if (wassignedby[i] != 0) {
3dfa202e4fea6b985bcf8761e2d11c176baa40d1Mark Andrews (notsigned || (wassignedby[alg] && !nowsignedby[alg])))
386d3a99c190bad55edf44d076e6bd087e230ab8Tatuya JINMEI 神明達哉 ISC_LIST_APPEND(siglist.rdata, trdata, link);
c0a76b3c0b42a110e14eb56103973944900400c4Mark Andrews result = dns_rdatalist_tordataset(&siglist, &sigset);
3dfa202e4fea6b985bcf8761e2d11c176baa40d1Mark Andrews check_result(result, "dns_rdatalist_tordataset");
3dfa202e4fea6b985bcf8761e2d11c176baa40d1Mark Andrews result = dns_db_addrdataset(db, node, version, 0, &sigset,
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson * If this is compiled in, running a signed set through the
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson * signer with no private keys causes DNS_R_BADDB to occur
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson * later. This is bad.
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson result = dns_db_deleterdataset(db, node, version,
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson check_result(result, "dns_db_deleterdataset");
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson fatal("File is currently signed but no private keys were "
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson "found. This won't work.");
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews dns_rdata_t *next = ISC_LIST_NEXT(trdata, link);
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson isc_mem_put(mctx, trdata, sizeof(dns_rdata_t));
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson signer_array_t *next = ISC_LIST_NEXT(tdata, link);
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson isc_mem_put(mctx, tdata, sizeof(signer_array_t));
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson/* Determine if a KEY set contains a null key */
90407942d3afe50f04ccea361de3b164a5a1702dMichael Graff result = dns_dnssec_keyfromrdata(dns_rootname,
03e200df5dc283f24a6a349f0b31d3eab26da893Mark Andrews fatal("could not convert KEY into internal format");
a53259c4cc558f86dd008eccc60cc89b6734a03cMark Andrews * Looks for signatures of the zone keys by the parent, and imports them
a53259c4cc558f86dd008eccc60cc89b6734a03cMark Andrewsimportparentsig(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
a53259c4cc558f86dd008eccc60cc89b6734a03cMark Andrews isc_buffer_init(&b, filename, sizeof(filename));
45eea1bda65a66106bb7d85eae5997deb013bf0cMark Andrews fatal("name '%s' is too long", nametostr(name));
a53259c4cc558f86dd008eccc60cc89b6734a03cMark Andrews result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
5989aea4bbe79e09290792f04aeb557e2b2da02eAndreas Gustafsson result = dns_db_load(newdb, (char *)filename);
68f72235f8f41fa949823551d8e6476057ec5bd6Andreas Gustafsson result = dns_db_findnode(newdb, name, ISC_FALSE, &newnode);
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews result = dns_db_findrdataset(newdb, newnode, NULL, dns_rdatatype_key,
5989aea4bbe79e09290792f04aeb557e2b2da02eAndreas Gustafsson if (dns_rdataset_count(set) != dns_rdataset_count(&newset))
5989aea4bbe79e09290792f04aeb557e2b2da02eAndreas Gustafsson for (; result == ISC_R_SUCCESS; result = dns_rdataset_next(set)) {
c16aed9c469a986f1b84e457db4a8c4d2da01ca3Mark Andrews vbprintf(2, "found the parent's signature of our zone key\n");
c16aed9c469a986f1b84e457db4a8c4d2da01ca3Mark Andrews result = dns_db_addrdataset(db, node, version, 0, &sigset, 0, NULL);
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews * Looks for our signatures of child keys. If present, inform the caller,
5989aea4bbe79e09290792f04aeb557e2b2da02eAndreas Gustafsson * who will set the zone status (KEY) bit in the NXT record.
5989aea4bbe79e09290792f04aeb557e2b2da02eAndreas Gustafssonhaschildkey(dns_db_t *db, dns_name_t *name) {
2995f8205eaa0d4bc3a57900a413b5cfdb83564fAndreas Gustafsson isc_buffer_init(&b, filename, sizeof(filename));
d73de275987d29627dc11d5bd4a22874a29f7874Mark Andrews fatal("name '%s' is too long", nametostr(name));
d73de275987d29627dc11d5bd4a22874a29f7874Mark Andrews result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
d73de275987d29627dc11d5bd4a22874a29f7874Mark Andrews result = dns_db_findnode(newdb, name, ISC_FALSE, &newnode);
d73de275987d29627dc11d5bd4a22874a29f7874Mark Andrews result = dns_db_findrdataset(newdb, newnode, NULL, dns_rdatatype_key,
5989aea4bbe79e09290792f04aeb557e2b2da02eAndreas Gustafsson for (; result == ISC_R_SUCCESS; result = dns_rdataset_next(&sigset)) {
919caa020b8f9b856d77b3a72e0c9301dfa495c7Andreas Gustafsson dns_rdataset_current(&sigset, &sigrdata);
5989aea4bbe79e09290792f04aeb557e2b2da02eAndreas Gustafsson result = dns_rdata_tostruct(&sigrdata, &sig, mctx);
bd1db480f30e025bba719799f910b34848a9a997Mark Andrews result = dns_dnssec_verify(name, &set, key->key,
c0707105f60934d59321c2fccbc254f9e31ff28aMark Andrews * Signs all records at a name. This mostly just signs each set individually,
c0707105f60934d59321c2fccbc254f9e31ff28aMark Andrews * but also adds the SIG bit to any NXTs generated earlier, deals with
c0707105f60934d59321c2fccbc254f9e31ff28aMark Andrews * parent/child KEY signatures, and handles other exceptional cases.
37dee1ff94960a61243f611c0f87f8c316815c53Mark Andrewssignname(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
37dee1ff94960a61243f611c0f87f8c316815c53Mark Andrews static int warnwild = 0;
37dee1ff94960a61243f611c0f87f8c316815c53Mark Andrews if (warnwild++ == 0) {
37dee1ff94960a61243f611c0f87f8c316815c53Mark Andrews fprintf(stderr, "%s: warning: BIND 9 doesn't properly "
37dee1ff94960a61243f611c0f87f8c316815c53Mark Andrews "handle wildcards in secure zones:\n",
37dee1ff94960a61243f611c0f87f8c316815c53Mark Andrews fprintf(stderr, "\t- wildcard nonexistence proof is "
37dee1ff94960a61243f611c0f87f8c316815c53Mark Andrews "not generated by the server\n");
37dee1ff94960a61243f611c0f87f8c316815c53Mark Andrews fprintf(stderr, "\t- wildcard nonexistence proof is "
37dee1ff94960a61243f611c0f87f8c316815c53Mark Andrews "not required by the resolver\n");
37dee1ff94960a61243f611c0f87f8c316815c53Mark Andrews fprintf(stderr, "%s: warning: wildcard name seen: %s\n",
37dee1ff94960a61243f611c0f87f8c316815c53Mark Andrews atorigin = dns_name_equal(name, dns_db_origin(db));
85a79fa7eb17767d9ae9030e0289ed3e95aab7c8Evan Hunt /* Is this a delegation point? */
85a79fa7eb17767d9ae9030e0289ed3e95aab7c8Evan Hunt result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
37dee1ff94960a61243f611c0f87f8c316815c53Mark Andrews /* If this is a SIG set, skip it. */
37dee1ff94960a61243f611c0f87f8c316815c53Mark Andrews * If this is a KEY set at the apex, look for a signedkey file.
37dee1ff94960a61243f611c0f87f8c316815c53Mark Andrews if (rdataset.type == dns_rdatatype_key && atorigin) {
5989aea4bbe79e09290792f04aeb557e2b2da02eAndreas Gustafsson importparentsig(db, version, node, name, &rdataset);
5f9e583552f53de12062bfff12e47250abce378fBrian Wellington * If this name is a delegation point, skip all records
5f9e583552f53de12062bfff12e47250abce378fBrian Wellington * except an NXT set, unless we're using null keys, in
08a768e82ad64ede97f640c88e02984b59122753Michael Graff * which case we need to check for a null key and add one
08a768e82ad64ede97f640c88e02984b59122753Michael Graff * if it's not present.
c1d7e0562f6a72ecc07ab5140cf2b88183adbd08Francis Dupont * There probably should be a dns_nxtsetbit, but it can get
c1d7e0562f6a72ecc07ab5140cf2b88183adbd08Francis Dupont * complicated if we need to extend the length of the
c1d7e0562f6a72ecc07ab5140cf2b88183adbd08Francis Dupont * bit set. In this case, since the NXT bit is set and
c1d7e0562f6a72ecc07ab5140cf2b88183adbd08Francis Dupont * SIG < NXT and KEY < NXT, the easy way works.
c1d7e0562f6a72ecc07ab5140cf2b88183adbd08Francis Dupont unsigned char *nxt_bits;
c1d7e0562f6a72ecc07ab5140cf2b88183adbd08Francis Dupont check_result(result, "dns_rdataset_first()");
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont "setting KEY bit in NXT\n",
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont result = dns_db_findrdataset(db, node, version,
a631b30b1ddd8b2ea780371d0d99ba1c05bc7e42Francis Dupont "adding null key\n",
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews result = dst_key_generate(name, DNS_KEYALG_DSA,
761fa7d7709bdf2380a02b92f695ecdee929188aScott Mann "dns_rdatalist_tordataset");
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews fatal("rdataset iteration for name '%s' failed: %s",
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrewsactive_node(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) {
a20996ab6ff2be473b85470fddd2380a3e180e7bMark Andrews result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews * Make sure there is no NXT record for this node.
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews result = dns_db_deleterdataset(db, node, version,
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrewsnext_active(dns_db_t *db, dns_dbversion_t *version, dns_dbiterator_t *dbiter,
37dee1ff94960a61243f611c0f87f8c316815c53Mark Andrews result = dns_dbiterator_current(dbiter, nodep, name);
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrewsnext_nonglue(dns_db_t *db, dns_dbversion_t *version, dns_dbiterator_t *dbiter,
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews dns_name_t *name, dns_dbnode_t **nodep, dns_name_t *origin,
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews result = next_active(db, version, dbiter, name, nodep);
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews dresult = dns_master_dumpnodetostream(mctx, db,
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews check_result(dresult, "dns_master_dumpnodetostream");
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews * Extracts the zone minimum TTL from the SOA.
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrewsminimumttl(dns_db_t *db, dns_dbversion_t *version) {
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews result = dns_db_find(db, origin, version, dns_rdatatype_soa,
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews fatal("failed to find '%s SOA' in the zone: %s",
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews result = dns_rdata_tostruct(&soarr, &soa, mctx);
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews check_result(result, "dns_rdataset_tostruct()");
0e40083fdd5445703bd30e46e5bfe7d047bced12Brian Wellingtoncleannode(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) {
3ec6b563d7b6cb11a047f23faa2a0f206ccd93e7Brian Wellington result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington check_result(result, "dns_db_allrdatasets");
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington dresult = dns_db_deleterdataset(db, node, version,
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington check_result(dresult, "dns_db_allrdatasets");
dee520f1be8c59e10a55b6995844395e811c310fBrian Wellington * Generates NXTs and SIGs for each non-glue name in the zone.
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellingtonsignzone(dns_db_t *db, dns_dbversion_t *version) {
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington dns_name_t *name, *nextname, *target, *lastcut;
be515937febf025ec2a4c381bee58131ab0f32f4Mark Andrews result = dns_db_createiterator(db, ISC_FALSE, &dbiter);
be515937febf025ec2a4c381bee58131ab0f32f4Mark Andrews check_result(result, "dns_db_createiterator()");
be515937febf025ec2a4c381bee58131ab0f32f4Mark Andrews dns_name_concatenate(origin, NULL, name, NULL);
be515937febf025ec2a4c381bee58131ab0f32f4Mark Andrews result = next_nonglue(db, version, dbiter, name, &node, origin,
be515937febf025ec2a4c381bee58131ab0f32f4Mark Andrews if (!dns_name_equal(name, dns_db_origin(db))) {
be515937febf025ec2a4c381bee58131ab0f32f4Mark Andrews result = dns_db_allrdatasets(db, node, version,
be515937febf025ec2a4c381bee58131ab0f32f4Mark Andrews if (result != ISC_R_SUCCESS && result != ISC_R_NOMORE)
be515937febf025ec2a4c381bee58131ab0f32f4Mark Andrews result = next_nonglue(db, version, dbiter, nextname,
489b76292622f5bc18bf1a18845f8166a73bd797Brian Wellington fatal("iterating through the database failed: %s",
3184ff5e45c8f821e5165ea60d674bfb87faf5b8Mark Andrews nxtresult = dns_buildnxt(db, version, node, target, zonettl);
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson dresult = dns_master_dumpnodetostream(mctx, db, version,
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson check_result(dresult, "dns_master_dumpnodetostream");
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson dns_name_concatenate(nextname, NULL, name, NULL);
16ee4fe11bad616a76c79e9f626a7e04a88ef4abMark Andrews fatal("iterating through the database failed: %s",
70e854766f5304f43e94212dc38ebaefe214148cMark Andrews isc_mem_put(mctx, lastcut, sizeof(dns_name_t));
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson * Load the zone file from disk
fa280ff02ad0c29616a0c3a22ef02cbb3f6db7efDavid Lawrenceloadzone(char *file, char *origin, dns_db_t **db) {
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson isc_buffer_init(&b2, namedata, sizeof(namedata));
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson result = dns_name_fromtext(&name, &b, dns_rootname, ISC_FALSE, &b2);
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson fatal("failed converting name '%s' to dns format: %s",
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson result = dns_db_create(mctx, "rbt", &name, dns_dbtype_zone,
9ceaa92a8ca8a0270ba296d44599e94d95033759Andreas Gustafsson fatal("failed loading zone from '%s': %s",
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson * Finds all public zone keys in the zone, and attempts to load the
a1884b96ef53efc8b4e14be173aaee552ca0213aAndreas Gustafsson * private keys from disk.
620de5a4b1f23dc9b4ec30d30c0607ff389be0daBob Halley unsigned int nkeys, i;
fafb62400d2f1b1da4f3908447e1f3935fc5155bBrian Wellington dns_db_currentversion(db, ¤tversion);
186e7f37c9fc985a7a7264cc8170e48a25bed434Mark Andrews result = dns_db_findnode(db, origin, ISC_FALSE, &node);
90c1e763d577da656b5eeb02462b5236dca5f266Mark Andrews result = dns_dnssec_findzonekeys(db, currentversion, node, origin, mctx,
b7945d73bc42499d50d5c4af6a525fe56e4dfacaMark Andrews for (i = 0; i < nkeys; i++) {
186e7f37c9fc985a7a7264cc8170e48a25bed434Mark Andrews dns_db_closeversion(db, ¤tversion, ISC_FALSE);
186e7f37c9fc985a7a7264cc8170e48a25bed434Mark Andrewsstrtotime(char *str, isc_int64_t now, isc_int64_t base) {
9a2574531e3d2ced31072200b416467fdee0c29cDavid Lawrence fprintf(stderr, "\t%s [options] zonefile [keys]\n", program);
9a2574531e3d2ced31072200b416467fdee0c29cDavid Lawrence fprintf(stderr, "Options: (default value in parenthesis) \n");
9a2574531e3d2ced31072200b416467fdee0c29cDavid Lawrence fprintf(stderr, "\t-s YYYYMMDDHHMMSS|+offset:\n");
9a2574531e3d2ced31072200b416467fdee0c29cDavid Lawrence fprintf(stderr, "\t\tSIG start time - absolute|offset (now)\n");
9a2574531e3d2ced31072200b416467fdee0c29cDavid Lawrence fprintf(stderr, "\t-e YYYYMMDDHHMMSS|+offset|\"now\"+offset]:\n");
9a2574531e3d2ced31072200b416467fdee0c29cDavid Lawrence fprintf(stderr, "\t\tSIG end time - absolute|from start|from now "
9a2574531e3d2ced31072200b416467fdee0c29cDavid Lawrence "(now + 30 days)\n");
9a2574531e3d2ced31072200b416467fdee0c29cDavid Lawrence fprintf(stderr, "\t\tcycle period - regenerate "
9a2574531e3d2ced31072200b416467fdee0c29cDavid Lawrence "if < cycle from end ( (end-start)/4 )\n");
03f4c76f95f75e2b0d1206e784e35bed6041305cBob Halley fprintf(stderr, "\t\tzone origin (name of zonefile)\n");
03f4c76f95f75e2b0d1206e784e35bed6041305cBob Halley fprintf(stderr, "\t\tfile the signed zone is written in "
03f4c76f95f75e2b0d1206e784e35bed6041305cBob Halley "(zonefile + .signed)\n");
03f4c76f95f75e2b0d1206e784e35bed6041305cBob Halley fprintf(stderr, "\t\tverify generated signatures\n");
03f4c76f95f75e2b0d1206e784e35bed6041305cBob Halley fprintf(stderr, "\t\tuse pseudorandom data (faster but less secure)\n");
03f4c76f95f75e2b0d1206e784e35bed6041305cBob Halley fprintf(stderr, "\t\ta file containing random data\n");
9a2574531e3d2ced31072200b416467fdee0c29cDavid Lawrence fprintf(stderr, "(default: all zone keys that have private keys)\n");
9a2574531e3d2ced31072200b416467fdee0c29cDavid Lawrence fprintf(stderr, "\tkeyfile (Kname+alg+tag)\n");
728156dfbdced7bc18b1f88227cced9d426a70e7Mark Andrews char *origin = NULL, *file = NULL, *output = NULL;
8af4e7aa4e2a6fe84bf4ebe09ca1d4ef1d8ab593Mark Andrews unsigned int eflags;
9a2574531e3d2ced31072200b416467fdee0c29cDavid Lawrence while ((ch = isc_commandline_parse(argc, argv, "s:e:c:v:o:f:ahpr:"))
16ee4fe11bad616a76c79e9f626a7e04a88ef4abMark Andrews cycle = strtol(isc_commandline_argument, &endp, 0);
9a2574531e3d2ced31072200b416467fdee0c29cDavid Lawrence verbose = strtol(isc_commandline_argument, &endp, 0);
d901b2252d664a5b96bae117416f8ee822dc6691Stephen Jacob for (i = 0; i < argc; i++) {
aceae69c7f3e76e8842de178851928619c65b61cMark Andrews "non-private key %s",
193738b819e3c699f9edd18864a6810fcfcec855Andreas Gustafsson check_result(result, "dns_db_newversion()");
a27fe4c990f96bd792f2a07ca4d38c78d5b9df2cTatuya JINMEI 神明達哉 result = isc_stdio_open(output, "w", &fp);
a27fe4c990f96bd792f2a07ca4d38c78d5b9df2cTatuya JINMEI 神明達哉 fatal("failed to open output file %s: %s", output,
a27fe4c990f96bd792f2a07ca4d38c78d5b9df2cTatuya JINMEI 神明達哉 dns_db_closeversion(db, &version, ISC_FALSE);