dnssec-signzone.c revision e8831e51c162f5961fcf1d89f68acd9336cf8a83
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews * Portions Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews * Portions Copyright (C) 1999-2003 Internet Software Consortium.
/* $Id: dnssec-signzone.c,v 1.249 2009/10/27 03:59:45 each Exp $ */
#include <config.h>
#include <stdlib.h>
#include <time.h>
#include "dnssectool.h"
#ifndef PATH_MAX
int verbose;
#define SOA_SERIAL_KEEP 0
struct signer_event {
static unsigned int keycount = 0;
static int jitter = 0;
static int nsec3flags = 0;
static unsigned int ntasks = 0;
static unsigned int hash_length = 0;
if (printstats) { \
counter++; \
isc_buffer_t b;
if (tryverify) {
&tuple);
static inline isc_boolean_t
static inline isc_boolean_t
static inline isc_boolean_t
static inline isc_boolean_t
static dns_dnsseckey_t *
return (key);
return (NULL);
static dns_dnsseckey_t *
return (key);
return (key);
return (NULL);
return (key);
static isc_boolean_t
switch (result) {
case ISC_R_SUCCESS:
case DNS_R_NXDOMAIN:
case DNS_R_NXRRSET:
return (ISC_TRUE);
case DNS_R_DELEGATION:
case DNS_R_CNAME:
case DNS_R_DNAME:
return (ISC_FALSE);
static inline isc_boolean_t
return (ISC_TRUE);
return (ISC_FALSE);
int arraysize;
if (!nosigs)
for (i = 0; i < arraysize; i++)
if (nosigs)
sigstr);
sigstr);
if (!expired)
&sigrdata)) {
&sigrdata)) {
} else if (!expired) {
if (keep) {
&sigrdata,
&tuple);
&sigrdata,
&tuple);
if (resign) {
struct hashlist {
unsigned char *hashbuf;
l->entries = 0;
if (nodes != 0) {
l->size = 0;
l->size = 0;
l->entries++;
unsigned int len;
size_t i;
if (verbose) {
for (i = 0 ; i < len; i++)
hashlist_comp(const void *a, const void *b) {
static isc_boolean_t
unsigned char *current;
entries--;
return (ISC_TRUE);
return (ISC_FALSE);
return (next);
static isc_boolean_t
return (ISC_TRUE);
return (ISC_FALSE);
if (verbose) {
ISC_TRUE);
isc_buffer_t b;
if (isc_buffer_availablelength(&b) == 0) {
isc_buffer_putuint8(&b, 0);
static isc_result_t
dns_rdatatype_ds, 0, 0,
return (result);
return (ISC_R_NOTFOUND);
return (result);
return (result);
return (result);
static isc_boolean_t
return (ISC_FALSE);
static isc_boolean_t
return (ISC_FALSE);
goto skip;
if (isdelegation) {
goto skip;
namebuf);
skip:
static inline isc_boolean_t
if (!active)
covers);
if (!found) {
covers);
return (active);
get_soa_ttls(void) {
static isc_result_t
return result;
goto cleanup;
if (serial) {
if (new_serial == 0)
dns_rdatatype_soa, 0);
goto cleanup;
goto cleanup;
return (result);
if (destroy) {
covers);
presign(void) {
postsign(void) {
static isc_boolean_t
&dstkey);
return (ISC_FALSE);
return(ISC_TRUE);
return (ISC_FALSE);
unsigned char *bad_algorithms)
if (ksk_algorithms[i] != 0)
if ((ksk_algorithms[i] != 0) &&
(set_algorithms[i] == 0)) {
unsigned char *bad_algorithms)
verifyzone(void) {
#ifdef ALLOW_KSKLESS_ZONES
if (disable_zone_check)
#ifdef ALLOW_KSKLESS_ZONES
mctx)) {
sizeof(namebuf));
mctx)) {
#ifdef ALLOW_KSKLESS_ZONES
#ifdef ALLOW_KSKLESS_ZONES
#ifdef ALLOW_KSKLESS_ZONES
if (!goodksk) {
if (!ignore_kskflag)
if (!allzsksigned)
if (!goodksk) {
#ifdef ALLOW_KSKLESS_ZONES
if (ksk_algorithms[i] != 0)
if ((ksk_algorithms[i] != 0) ==
(zsk_algorithms[i] != 0))
(ksk_algorithms[i] != 0)
algbuf);
while (!done) {
nextname);
if (bad_algorithms[i] != 0) {
if (first)
if (!first) {
if ((ksk_algorithms[i] != 0) ||
(standby_ksk[i] != 0) ||
(revoked_zsk[i] != 0) ||
(zsk_algorithms[i] != 0) ||
(standby_zsk[i] != 0) ||
(revoked_zsk[i] != 0)) {
zsk_algorithms[i],
standby_zsk[i],
revoked_zsk[i]);
signapex(void) {
if (shuttingdown)
if (finished) {
ended++;
goto unlock;
while (!found) {
goto next;
nsec_datatype, 0, 0,
if (!found) {
next:
if (!found) {
ended++;
goto unlock;
dns_rdatatype_ds, 0);
* Generate NSEC records for the zone and remove NSEC3/NSEC3PARAM records
nsecify(void) {
"dns_db_deleterdataset(nsec3param/rrsig)");
"dns_db_deleterdataset(nsec3param/rrsig)");
while (!done) {
if (generateds)
nextname);
if (!active) {
unsigned int iterations)
isc_buffer_t b;
&nsec3param, &b);
const unsigned char *nexthash;
0, NULL);
if (!delete_rrsigs)
int order;
if (!update_chain)
"dns_db_deleterdataset(nsec3param/rrsig)");
while (!done) {
nextname);
if (!active) {
if (generateds)
count--;
hashlist);
while (!done) {
nextname);
if (!active) {
count--;
isc_buffer_t b;
int len;
dns_rdatatype_soa, 0, 0,
goto cleanup;
dns_rdatatype_dnskey, 0, 0,
goto cleanup;
keyttl);
&keylist);
keyfiles[i]);
if (setksk)
NULL);
if (disable_zone_check)
program);
&orig_saltlen);
goto cleanup;
} else if (!set_salt) {
} else if (!set_iter)
goto cleanup;
goto cleanup;
} else if (!set_optout)
char *filename;
isc_buffer_t b;
isc_region_t r;
unsigned int filenamelen;
filename[0] = 0;
unsigned int labels;
isc_buffer_usedregion(&b, &r);
ISC_PLATFORM_NORETURN_PRE static void
usage(void) {
#ifdef USE_PKCS11
exit(0);
removetempfile(void) {
if (removefile)
if (runtime_us > 0) {
int i, ch;
int ndskeys = 0;
char *endp;
#ifdef USE_PKCS11
unsigned int eflags;
int tempfilelen;
isc_buffer_t b;
int len;
#define CMDLINE_FLAGS \
switch (ch) {
switch (ch) {
char *sarg;
sizeof(saltbuf));
usage();
NULL);
usage();
if (!pseudorandom)
if (ntasks == 0)
usage();
get_soa_ttls();
if (!set_keyttl)
if (IS_NSEC3) {
if (answer)
if (smartsign)
if (keycount == 0) {
if (disable_zone_check)
if (IS_NSEC3) {
unsigned int max;
switch (serialformat) {
case SOA_SERIAL_INCREMENT:
setsoaserial(0);
case SOA_SERIAL_UNIXTIME:
case SOA_SERIAL_KEEP:
if (IS_NSEC3)
&hashlist);
nsecify();
if (!nokeys) {
if (make_keyset)
for (i = 0; i < (int)ntasks; i++) {
if (printstats)
presign();
signapex();
if (!finished) {
for (i = 0; i < (int)ntasks; i++) {
tasks[i]);
(void)isc_app_run();
if (!finished)
for (i = 0; i < (int)ntasks; i++)
postsign();
verifyzone();
fp);
if (printstats)
if (free_output)
(void) isc_app_finish();
if (printstats) {