signer.c revision b18192fd96726bf2cf553bd0e209dfe231abb1d9
ccdac53c027e8964753b36c4d8c7b0e98af501c2Michael Graff#define is_zone_key(key) ((dst_key_flags(key) & DNS_KEYFLAG_OWNERMASK) \
ccdac53c027e8964753b36c4d8c7b0e98af501c2Michael Graffstatic inline void
91306d962f9d147d94b82fb14edb28f8d907cae7Andreas Gustafssonstatic inline void
91306d962f9d147d94b82fb14edb28f8d907cae7Andreas Gustafssoncheck_result(isc_result_t result, char *message) {
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrenceset_bit(unsigned char *array, unsigned int index, unsigned int bit) {
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halleyfind_apex_keys(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node,
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley dns_name_t *name, isc_mem_t *mctx, unsigned int maxkeys,
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley unsigned int count = 0;
3ecf3394e37dc2848a09ffc643565d454e9e6974Andreas Gustafsson result = dns_db_findrdataset(db, node, ver, dns_rdatatype_key, 0, 0,
3ecf3394e37dc2848a09ffc643565d454e9e6974Andreas Gustafsson check_result(result, "dns_db_findrdataset()");
3ecf3394e37dc2848a09ffc643565d454e9e6974Andreas Gustafsson check_result(result, "dns_rdataset_first()");
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence while (result == ISC_R_SUCCESS && count < maxkeys) {
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &pubkey);
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence check_result(result, "dns_dnssec_keyfromrdata()");
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence result = dst_key_fromfile(dst_key_name(pubkey),
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence check_result(result, "iteration over zone keys");
ae4cbb69eef32ced103fe4561e8d2031ee4c3497David Lawrencesign_with_key(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdata_t *rdata,
ae4cbb69eef32ced103fe4561e8d2031ee4c3497David Lawrence dns_rdatalist_t *sigrdatalist, isc_stdtime_t *now,
0293ad13207aa29bd5844cdc87d085ffc009d749David Lawrence isc_buffer_init(&b, r.base, r.length, ISC_BUFFERTYPE_BINARY);
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence result = dns_dnssec_sign(name, rdataset, key, now, later,
0293ad13207aa29bd5844cdc87d085ffc009d749David Lawrence result = dns_dnssec_verify(name, rdataset, key, mctx, rdata);
0293ad13207aa29bd5844cdc87d085ffc009d749David Lawrence ISC_LIST_APPEND(sigrdatalist->rdata, rdata, link);
0293ad13207aa29bd5844cdc87d085ffc009d749David Lawrenceresign_set(dns_name_t *name, dns_name_t *origin, dns_rdataset_t *rdataset,
0293ad13207aa29bd5844cdc87d085ffc009d749David Lawrence dns_rdata_t *rdata, dns_rdatalist_t *sigrdatalist,
0293ad13207aa29bd5844cdc87d085ffc009d749David Lawrence dns_rdata_t *oldsigrdata, isc_stdtime_t *now, isc_stdtime_t *later,
0293ad13207aa29bd5844cdc87d085ffc009d749David Lawrence dst_key_t **keys, int nkeys, unsigned char *array, int len)
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence result = dns_rdata_tostruct(oldsigrdata, &sig, mctx);
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff * Is this a real signture that we should regenerate?
1ce985ab3c6670662d555c108b35fed84a6a1001David Lawrence if (dns_name_compare(sig.signer, origin) == 0) {
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence for (i = 0; i < nkeys; i++) {
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence sign_with_key(name, rdataset, rdata, sigrdatalist,
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence if (dns_name_compare(sig.signer, origin) != 0 || foundnonzone) {
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence isc_buffer_init(&b, array, len, ISC_BUFFERTYPE_BINARY);
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence result = dns_rdata_fromstruct(rdata, rdataset->rdclass,
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff ISC_LIST_APPEND(sigrdatalist->rdata, rdata, link);
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff check_result(result, "dns_rdata_fromstruct()");
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff printf("couldn't find key <origin>/%d, dropping sig\n",
31d3464c0c0a35236c7924f698c5a8a66a9ed534Mark Andrewsgenerate_sig(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson dns_name_t *name, dst_key_t **keys, isc_boolean_t *defaultkey,
6fcb2f0faad67a6d2cb2e30ec57157d75fbfe58fAndreas Gustafsson dns_rdataset_t rdataset, sigrdataset, oldsigset;
47fd46791da765e3dbedd987e9b263b3bee25986Brian Wellington result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
47fd46791da765e3dbedd987e9b263b3bee25986Brian Wellington check_result(result, "dns_db_allrdatasets()");
6fcb2f0faad67a6d2cb2e30ec57157d75fbfe58fAndreas Gustafsson dns_rdatasetiter_current(rdsiter, &rdataset);
6fcb2f0faad67a6d2cb2e30ec57157d75fbfe58fAndreas Gustafsson if (rdataset.type == dns_rdatatype_sig ||
754cca729dd82ae8363917dc00ad44f9d900635bMark Andrews result = dns_db_findrdataset(db, node, version,
40dd9cb8cc240c33d820fe79f176ed51e4c06a1aMark Andrews alreadysigned = ISC_FALSE; /* not that this matters */
40dd9cb8cc240c33d820fe79f176ed51e4c06a1aMark Andrews * There probably should be a dns_nxtsetbit or something,
40dd9cb8cc240c33d820fe79f176ed51e4c06a1aMark Andrews * but it can get complicated if we need to extend the
40dd9cb8cc240c33d820fe79f176ed51e4c06a1aMark Andrews * length. In this case, since the NXT bit is set and
40dd9cb8cc240c33d820fe79f176ed51e4c06a1aMark Andrews * SIG < NXT, the easy way works.
40dd9cb8cc240c33d820fe79f176ed51e4c06a1aMark Andrews if (rdataset.type == dns_rdatatype_nxt && !alreadysigned) {
40dd9cb8cc240c33d820fe79f176ed51e4c06a1aMark Andrews unsigned char *nxt_bits;
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson check_result(result, "dns_rdataset_first()");
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson for (i = 0; i < nkeys; i++) {
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson if (!defaultkey[i] || !is_zone_key(keys[i]))
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson sign_with_key(name, &rdataset, &rdatas[i],
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson dns_rdataset_current(&oldsigset, &sigrdata);
5ff133b82082d82f0ba89b7c999c6b62b6298e46Andreas Gustafsson resign_set(name, origin, &rdataset, &rdatas[i],
61d5bfc06be978ea962b1c64309894ac80351771Mark Andrews result = dns_rdatalist_tordataset(&sigrdatalist, &sigrdataset);
5f9e583552f53de12062bfff12e47250abce378fBrian Wellington check_result(result, "dns_rdatalist_tordataset");
13faa8b6a2d0d45e0659049983928366252ab3faMichael Graff result = dns_db_addrdataset(db, node, version, 0, &sigrdataset,
3fcf6b956f47405750724bd84e1b2290b61c9186Brian Wellington check_result(result, "dns_db_addrdataset");
68f72235f8f41fa949823551d8e6476057ec5bd6Andreas Gustafssonactive_node(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) {
80f323528ac699026a609a5e3b765dc6e88fe37cAndreas Gustafsson result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
5989aea4bbe79e09290792f04aeb557e2b2da02eAndreas Gustafsson check_result(result, "dns_db_allrdatasets()");
5989aea4bbe79e09290792f04aeb557e2b2da02eAndreas Gustafsson result = dns_rdatasetiter_first(rdsiter);
e4c7b24ab12572b6781d5c545c7b7949cbd2a6f7Brian Wellington dns_rdatasetiter_current(rdsiter, &rdataset);
bd1db480f30e025bba719799f910b34848a9a997Mark Andrews * Make sure there is no NXT record for this node.
bd1db480f30e025bba719799f910b34848a9a997Mark Andrews result = dns_db_deleterdataset(db, node, version,
5989aea4bbe79e09290792f04aeb557e2b2da02eAndreas Gustafsson check_result(result, "dns_db_deleterdataset");
5f9e583552f53de12062bfff12e47250abce378fBrian Wellingtonnext_active(dns_db_t *db, dns_dbversion_t *version, dns_dbiterator_t *dbiter,
0e40083fdd5445703bd30e46e5bfe7d047bced12Brian Wellington result = dns_dbiterator_current(dbiter, nodep, name);
fee5012c43744322c1785e5c3e0c322443faa304Brian Wellington } while (result == ISC_R_SUCCESS && !active);
fee5012c43744322c1785e5c3e0c322443faa304Brian Wellington dns_name_t *name, *nextname, *target, curname;
fee5012c43744322c1785e5c3e0c322443faa304Brian Wellington unsigned int nkeys = 0;
fee5012c43744322c1785e5c3e0c322443faa304Brian Wellington unsigned int i;
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington isc_buffer_init(&b, origintext, len, ISC_BUFFERTYPE_TEXT);
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington result = dns_name_fromtext(name, &b, dns_rootname, ISC_FALSE, NULL);
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington check_result(result, "dns_name_fromtext()");
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington result = dns_db_create(mctx, "rbt", name, ISC_FALSE,
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington result = dns_db_findnode(db, name, ISC_FALSE, &node);
af5ad488cbf17988fbd36a25c908737412ccd382Brian Wellington result = find_apex_keys(db, NULL, node, name, mctx, MAXKEYS,
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington check_result(result, "dns_dnssec_findzonekeys()");
af5ad488cbf17988fbd36a25c908737412ccd382Brian Wellington for (i = 0; i < nkeys; i++)
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington check_result(result, "dns_db_newversion()");
dee520f1be8c59e10a55b6995844395e811c310fBrian Wellington result = dns_db_createiterator(db, ISC_FALSE, &dbiter);
dee520f1be8c59e10a55b6995844395e811c310fBrian Wellington check_result(result, "dns_db_createiterator()");
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington result = next_active(db, wversion, dbiter, name, &node);
9a2574531e3d2ced31072200b416467fdee0c29cDavid Lawrence isc_buffer_init(&curbuf, curdata, sizeof(curdata),
9a2574531e3d2ced31072200b416467fdee0c29cDavid Lawrence dns_dbiterator_current(dbiter, &curnode, &curname);
e2b585787f4779f49bd0982562acbbb7d0b65a95Andreas Gustafsson result = next_active(db, wversion, dbiter, nextname,
e2b585787f4779f49bd0982562acbbb7d0b65a95Andreas Gustafsson target = NULL; /* Make compiler happy. */
e2b585787f4779f49bd0982562acbbb7d0b65a95Andreas Gustafsson nxtresult = dns_buildnxt(db, wversion, node, target);
e2b585787f4779f49bd0982562acbbb7d0b65a95Andreas Gustafsson check_result(nxtresult, "dns_buildnxt()");
7f9bc71eca311843611a4b0cfdeb12eda324b689Mark Andrews generate_sig(db, wversion, node, &curname, keys, defaultkey,
967fafd9674da590f605d1cbe5f66dd7ddbeb849David Lawrence * XXXRTH For now, we don't increment the SOA serial.
e2b585787f4779f49bd0982562acbbb7d0b65a95Andreas Gustafsson sprintf(newfilename, "%s.new", filename);
e2b585787f4779f49bd0982562acbbb7d0b65a95Andreas Gustafsson result = dns_db_dump(db, NULL, newfilename);
1c0ff8a9cc1e1edd55acff6802f8811966732653Brian Wellington for (i = 0; i < nkeys; i++)
e2b585787f4779f49bd0982562acbbb7d0b65a95Andreas Gustafsson check_result(result, "isc_mem_create()");
9a2574531e3d2ced31072200b416467fdee0c29cDavid Lawrence for (i = 0; i < argc; i++)