dnssec-signzone.c revision f104fbbe4e868a039ed786c0087c0412ab6dd923
#include <config.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <isc/types.h>
#include <isc/assertions.h>
#include <isc/buffer.h>
#include <isc/error.h>
#include <isc/mem.h>
#include <isc/stdtime.h>
#include <dns/types.h>
#include <dns/name.h>
#include <dns/fixedname.h>
#include <dns/db.h>
#include <dns/dbiterator.h>
#include <dns/rdata.h>
#include <dns/rdatalist.h>
#include <dns/rdataset.h>
#include <dns/rdatasetiter.h>
#include <dns/result.h>
#include <dns/dnssec.h>
#include <dns/keyvalues.h>
#include <dst/dst.h>
#define is_zone_key(key) ((dst_key_flags(key) & DNS_KEYFLAG_OWNERMASK) \
== DNS_KEYOWNER_ZONE)
static isc_mem_t *mctx = NULL;
static inline void
fatal(char *message) {
fprintf(stderr, "%s\n", message);
exit(1);
}
static inline void
check_result(isc_result_t result, char *message) {
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "%s: %s\n", message,
isc_result_totext(result));
exit(1);
}
}
static void
set_bit(unsigned char *array, unsigned int index, unsigned int bit) {
unsigned int byte, shift, mask;
byte = array[index / 8];
shift = 7 - (index % 8);
mask = 1 << shift;
if (bit)
array[index / 8] |= mask;
else
array[index / 8] &= (~mask & 0xFF);
}
/*
* XXXRTH Something like this will become a library function.
*/
static void
build_nxt(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
dns_name_t *target)
{
isc_result_t result;
dns_rdata_t rdata;
dns_rdataset_t rdataset;
dns_rdatalist_t rdatalist;
isc_region_t r;
unsigned char data[256 + 16];
unsigned char *nxt_bits;
unsigned int max_type;
dns_rdatasetiter_t *rdsiter;
memset(data, 0, sizeof data);
dns_name_toregion(target, &r);
memcpy(data, r.base, r.length);
r.base = data;
nxt_bits = r.base + r.length;
set_bit(nxt_bits, dns_rdatatype_nxt, 1);
max_type = dns_rdatatype_nxt;
dns_rdataset_init(&rdataset);
rdsiter = NULL;
result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
check_result(result, "dns_db_allrdatasets()");
result = dns_rdatasetiter_first(rdsiter);
while (result == ISC_R_SUCCESS) {
dns_rdatasetiter_current(rdsiter, &rdataset);
if (rdataset.type > 127)
fatal("rdataset type too large");
if (rdataset.type != dns_rdatatype_nxt) {
if (rdataset.type > max_type)
max_type = rdataset.type;
set_bit(nxt_bits, rdataset.type, 1);
}
dns_rdataset_disassociate(&rdataset);
result = dns_rdatasetiter_next(rdsiter);
}
if (result != DNS_R_NOMORE)
fatal("rdataset iteration failed");
dns_rdatasetiter_destroy(&rdsiter);
dns_rdata_init(&rdata);
r.length += (max_type / 8);
if (max_type % 8 != 0)
r.length++;
dns_rdata_fromregion(&rdata, dns_rdataclass_in,
dns_rdatatype_nxt,
&r);
rdatalist.rdclass = dns_rdataclass_in;
rdatalist.type = dns_rdatatype_nxt;
rdatalist.covers = 0;
rdatalist.ttl = 3600; /* XXXRTH */
ISC_LIST_INIT(rdatalist.rdata);
ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
result = dns_rdatalist_tordataset(&rdatalist, &rdataset);
check_result(result, "dns_rdatalist_tordataset");
result = dns_db_addrdataset(db, node, version, 0, &rdataset,
ISC_FALSE, NULL);
if (result == DNS_R_UNCHANGED)
result = ISC_R_SUCCESS;
check_result(result, "dns_db_addrdataset");
dns_rdataset_disassociate(&rdataset);
}
static void
generate_sig(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
dns_name_t *name, dst_key_t *key)
{
isc_result_t result;
dns_rdata_t rdata;
dns_rdataset_t rdataset, sigrdataset;
dns_rdatalist_t sigrdatalist;
isc_region_t data;
dns_rdatasetiter_t *rdsiter;
isc_buffer_t buffer;
unsigned char array[1024];
ISC_LIST_INIT(sigrdatalist.rdata);
dns_rdataset_init(&rdataset);
rdsiter = NULL;
result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
check_result(result, "dns_db_allrdatasets()");
result = dns_rdatasetiter_first(rdsiter);
while (result == ISC_R_SUCCESS) {
dns_rdatasetiter_current(rdsiter, &rdataset);
if (rdataset.type > 127)
fatal("rdataset type too large");
if (rdataset.type == dns_rdatatype_nxt) {
unsigned char *nxt_bits;
dns_name_t nxtname;
isc_region_t r, r2;
result = dns_rdataset_first(&rdataset);
check_result(result, "dns_rdataset_first()");
dns_rdataset_current(&rdataset, &rdata);
dns_rdata_toregion(&rdata, &r);
dns_name_init(&nxtname, NULL);
dns_name_fromregion(&nxtname, &r);
dns_name_toregion(&nxtname, &r2);
nxt_bits = r.base + r2.length;
set_bit(nxt_bits, dns_rdatatype_sig, 1);
}
if (rdataset.type != dns_rdatatype_sig &&
!(rdataset.type == dns_rdatatype_key &&
dns_name_compare(name, dns_db_origin(db)) == 0))
{
isc_stdtime_t now, later;
isc_stdtime_get(&now);
later = 100000 + now;
data.base = array;
data.length = sizeof(array);
memset(data.base, 0, data.length);
dns_rdata_init(&rdata);
isc_buffer_init(&buffer, data.base, data.length,
ISC_BUFFERTYPE_BINARY);
result = dns_dnssec_sign(name, &rdataset, key,
&now, &later,
mctx, &buffer, &rdata);
check_result(result, "dns_dnssec_sign()");
result = dns_dnssec_verify(name, &rdataset, key,
mctx, &rdata);
check_result(result, "dns_dnssec_verify()");
ISC_LIST_APPEND(sigrdatalist.rdata, &rdata, link);
sigrdatalist.rdclass = rdataset.rdclass;
sigrdatalist.type = dns_rdatatype_sig;
sigrdatalist.covers = rdataset.type;
sigrdatalist.ttl = rdataset.ttl;
dns_rdataset_init(&sigrdataset);
result = dns_rdatalist_tordataset(&sigrdatalist,
&sigrdataset);
check_result(result, "dns_rdatalist_tordataset");
result = dns_db_addrdataset(db, node, version, 0,
&sigrdataset,
ISC_FALSE, NULL);
if (result == DNS_R_UNCHANGED)
result = ISC_R_SUCCESS;
check_result(result, "dns_db_addrdataset");
dns_rdataset_disassociate(&sigrdataset);
}
dns_rdataset_disassociate(&rdataset);
result = dns_rdatasetiter_next(rdsiter);
}
if (result != DNS_R_NOMORE)
fatal("rdataset iteration failed");
dns_rdatasetiter_destroy(&rdsiter);
}
static void
find_key(dns_db_t *db, dns_dbnode_t *node, dns_name_t *name, dst_key_t **key) {
dns_rdataset_t rdataset;
dns_rdata_t rdata;
isc_result_t result;
dst_key_t *pubkey;
*key = NULL;
dns_rdataset_init(&rdataset);
result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_key, 0, 0,
&rdataset);
check_result(result, "dns_db_findrdataset()");
result = dns_rdataset_first(&rdataset);
check_result(result, "dns_rdataset_first()");
while (result == ISC_R_SUCCESS) {
pubkey = NULL;
dns_rdataset_current(&rdataset, &rdata);
result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &pubkey);
check_result(result, "dns_dnssec_keyfromrdata()");
if (!is_zone_key(pubkey)) {
dst_key_free(pubkey);
continue;
}
result = dst_key_fromfile(dst_key_name(pubkey),
dst_key_id(pubkey),
dst_key_alg(pubkey),
DST_TYPE_PRIVATE,
mctx, key);
check_result(result, "dst_key_fromfile()");
dst_key_free(pubkey);
break;
}
dns_rdataset_disassociate(&rdataset);
if (*key == NULL)
check_result(ISC_R_FAILURE, "no key found");
}
static inline isc_boolean_t
active_node(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) {
dns_rdatasetiter_t *rdsiter;
isc_boolean_t active = ISC_FALSE;
isc_result_t result;
dns_rdataset_t rdataset;
dns_rdataset_init(&rdataset);
rdsiter = NULL;
result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
check_result(result, "dns_db_allrdatasets()");
result = dns_rdatasetiter_first(rdsiter);
while (result == ISC_R_SUCCESS) {
dns_rdatasetiter_current(rdsiter, &rdataset);
if (rdataset.type != dns_rdatatype_nxt)
active = ISC_TRUE;
dns_rdataset_disassociate(&rdataset);
if (!active)
result = dns_rdatasetiter_next(rdsiter);
else
result = DNS_R_NOMORE;
}
if (result != DNS_R_NOMORE)
fatal("rdataset iteration failed");
dns_rdatasetiter_destroy(&rdsiter);
if (!active) {
/*
* Make sure there is no NXT record for this node.
*/
result = dns_db_deleterdataset(db, node, version,
dns_rdatatype_nxt);
if (result == DNS_R_UNCHANGED)
result = ISC_R_SUCCESS;
check_result(result, "dns_db_deleterdataset");
}
return (active);
}
static inline isc_result_t
next_active(dns_db_t *db, dns_dbversion_t *version, dns_dbiterator_t *dbiter,
dns_name_t *name, dns_dbnode_t **nodep)
{
isc_result_t result;
isc_boolean_t active;
do {
active = ISC_FALSE;
result = dns_dbiterator_current(dbiter, nodep, name);
if (result == ISC_R_SUCCESS) {
active = active_node(db, version, *nodep);
if (!active) {
dns_db_detachnode(db, nodep);
result = dns_dbiterator_next(dbiter);
}
}
} while (result == ISC_R_SUCCESS && !active);
return (result);
}
static void
sign(char *filename) {
isc_result_t result;
dns_db_t *db;
dns_dbversion_t *wversion;
dns_dbnode_t *node, *nextnode, *curnode;
char *origintext;
dns_fixedname_t fname, fnextname;
dns_name_t *name, *nextname, *target, curname;
isc_buffer_t b;
size_t len;
dns_dbiterator_t *dbiter;
char newfilename[1024];
dst_key_t *key = NULL;
unsigned char curdata[1024];
isc_buffer_t curbuf;
dns_fixedname_init(&fname);
name = dns_fixedname_name(&fname);
dns_fixedname_init(&fnextname);
nextname = dns_fixedname_name(&fnextname);
origintext = strrchr(filename, '/');
if (origintext == NULL)
origintext = filename;
else
origintext++; /* Skip '/'. */
len = strlen(origintext);
isc_buffer_init(&b, origintext, len, ISC_BUFFERTYPE_TEXT);
isc_buffer_add(&b, len);
result = dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL);
check_result(result, "dns_name_fromtext()");
db = NULL;
result = dns_db_create(mctx, "rbt", name, ISC_FALSE,
dns_rdataclass_in, 0, NULL, &db);
check_result(result, "dns_db_create()");
result = dns_db_load(db, filename);
check_result(result, "dns_db_load()");
node = NULL;
result = dns_db_findnode(db, name, ISC_FALSE, &node);
check_result(result, "dns_db_findnode()");
find_key(db, node, name, &key);
dns_db_detachnode(db, &node);
wversion = NULL;
result = dns_db_newversion(db, &wversion);
check_result(result, "dns_db_newversion()");
dbiter = NULL;
result = dns_db_createiterator(db, ISC_FALSE, &dbiter);
check_result(result, "dns_db_createiterator()");
result = dns_dbiterator_first(dbiter);
node = NULL;
result = next_active(db, wversion, dbiter, name, &node);
while (result == ISC_R_SUCCESS) {
nextnode = NULL;
curnode = NULL;
dns_name_init(&curname, NULL);
isc_buffer_init(&curbuf, curdata, sizeof(curdata),
ISC_BUFFERTYPE_BINARY);
dns_name_setbuffer(&curname, &curbuf);
dns_dbiterator_current(dbiter, &curnode, &curname);
result = dns_dbiterator_next(dbiter);
if (result == ISC_R_SUCCESS)
result = next_active(db, wversion, dbiter, nextname,
&nextnode);
if (result == ISC_R_SUCCESS)
target = nextname;
else if (result == DNS_R_NOMORE)
target = dns_db_origin(db);
else {
target = NULL; /* Make compiler happy. */
fatal("db iteration failed");
}
build_nxt(db, wversion, node, target);
generate_sig(db, wversion, node, &curname, key);
dns_name_invalidate(&curname);
dns_db_detachnode(db, &node);
dns_db_detachnode(db, &curnode);
node = nextnode;
}
if (result != DNS_R_NOMORE)
fatal("db iteration failed");
dns_dbiterator_destroy(&dbiter);
/*
* XXXRTH For now, we don't increment the SOA serial.
*/
dns_db_closeversion(db, &wversion, ISC_TRUE);
len = strlen(filename);
if (len + 4 + 1 > sizeof newfilename)
fatal("filename too long");
sprintf(newfilename, "%s.new", filename);
result = dns_db_dump(db, NULL, newfilename);
check_result(result, "dns_db_dump");
dns_db_detach(&db);
dst_key_free(key);
}
int
main(int argc, char *argv[]) {
int i;
isc_result_t result;
dns_result_register();
result = isc_mem_create(0, 0, &mctx);
check_result(result, "isc_mem_create()");
argc--;
argv++;
for (i = 0; i < argc; i++)
sign(argv[i]);
isc_mem_stats(mctx, stdout);
isc_mem_destroy(&mctx);
return (0);
}