horok/bind9
1
0
Fork 0
Code Activity
bind9/lib/dns/dnssec.c
Daniel Baumann f66ff7eae6
Adding upstream version 1:9.20.9. 
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
2025-06-21 13:32:37 +02:00

2414 lines
61 KiB
C
Raw Permalink Blame History

/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/*! \file */
#include <ctype.h>
#include <inttypes.h>
#include <stdbool.h>
#include <stdlib.h>
#include <isc/buffer.h>
#include <isc/dir.h>
#include <isc/mem.h>
#include <isc/result.h>
#include <isc/serial.h>
#include <isc/string.h>
#include <isc/util.h>
#include <dns/db.h>
#include <dns/diff.h>
#include <dns/dnssec.h>
#include <dns/fixedname.h>
#include <dns/kasp.h>
#include <dns/keyvalues.h>
#include <dns/log.h>
#include <dns/message.h>
#include <dns/rdata.h>
#include <dns/rdatalist.h>
#include <dns/rdataset.h>
#include <dns/rdatastruct.h>
#include <dns/stats.h>
#include <dns/tsig.h> /* for DNS_TSIG_FUDGE */
isc_stats_t *dns_dnssec_stats;
#define is_response(msg) ((msg->flags & DNS_MESSAGEFLAG_QR) != 0)
#define RETERR(x) \
do { \
result = (x); \
if (result != ISC_R_SUCCESS) \
goto failure; \
} while (0)
#define TYPE_SIGN 0
#define TYPE_VERIFY 1
static isc_result_t
digest_callback(void *arg, isc_region_t *data);
static int
rdata_compare_wrapper(const void *rdata1, const void *rdata2);
static isc_result_t
rdataset_to_sortedarray(dns_rdataset_t *set, isc_mem_t *mctx,
dns_rdata_t **rdata, int *nrdata);
static isc_result_t
digest_callback(void *arg, isc_region_t *data) {
dst_context_t *ctx = arg;
return dst_context_adddata(ctx, data);
}
static void
inc_stat(isc_statscounter_t counter) {
if (dns_dnssec_stats != NULL) {
isc_stats_increment(dns_dnssec_stats, counter);
}
}
/*
* Make qsort happy.
*/
static int
rdata_compare_wrapper(const void *rdata1, const void *rdata2) {
return dns_rdata_compare((const dns_rdata_t *)rdata1,
(const dns_rdata_t *)rdata2);
}
/*
* Sort the rdataset into an array.
*/
static isc_result_t
rdataset_to_sortedarray(dns_rdataset_t *set, isc_mem_t *mctx,
dns_rdata_t **rdata, int *nrdata) {
isc_result_t ret;
int i = 0, n;
dns_rdata_t *data;
dns_rdataset_t rdataset;
n = dns_rdataset_count(set);
data = isc_mem_cget(mctx, n, sizeof(dns_rdata_t));
dns_rdataset_init(&rdataset);
dns_rdataset_clone(set, &rdataset);
ret = dns_rdataset_first(&rdataset);
if (ret != ISC_R_SUCCESS) {
dns_rdataset_disassociate(&rdataset);
isc_mem_cput(mctx, data, n, sizeof(dns_rdata_t));
return ret;
}
/*
* Put them in the array.
*/
do {
dns_rdata_init(&data[i]);
dns_rdataset_current(&rdataset, &data[i++]);
} while (dns_rdataset_next(&rdataset) == ISC_R_SUCCESS);
/*
* Sort the array.
*/
qsort(data, n, sizeof(dns_rdata_t), rdata_compare_wrapper);
*rdata = data;
*nrdata = n;
dns_rdataset_disassociate(&rdataset);
return ISC_R_SUCCESS;
}
isc_result_t
dns_dnssec_keyfromrdata(const dns_name_t *name, const dns_rdata_t *rdata,
isc_mem_t *mctx, dst_key_t **key) {
isc_buffer_t b;
isc_region_t r;
INSIST(name != NULL);
INSIST(rdata != NULL);
INSIST(mctx != NULL);
INSIST(key != NULL);
INSIST(*key == NULL);
REQUIRE(rdata->type == dns_rdatatype_key ||
rdata->type == dns_rdatatype_dnskey);
dns_rdata_toregion(rdata, &r);
isc_buffer_init(&b, r.base, r.length);
isc_buffer_add(&b, r.length);
return dst_key_fromdns(name, rdata->rdclass, &b, mctx, key);
}
static isc_result_t
digest_sig(dst_context_t *ctx, bool downcase, dns_rdata_t *sigrdata,
dns_rdata_rrsig_t *rrsig) {
isc_region_t r;
isc_result_t ret;
dns_fixedname_t fname;
dns_rdata_toregion(sigrdata, &r);
INSIST(r.length >= 19);
r.length = 18;
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS) {
return ret;
}
if (downcase) {
dns_fixedname_init(&fname);
RUNTIME_CHECK(dns_name_downcase(&rrsig->signer,
dns_fixedname_name(&fname),
NULL) == ISC_R_SUCCESS);
dns_name_toregion(dns_fixedname_name(&fname), &r);
} else {
dns_name_toregion(&rrsig->signer, &r);
}
return dst_context_adddata(ctx, &r);
}
isc_result_t
dns_dnssec_sign(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
isc_stdtime_t *inception, isc_stdtime_t *expire,
isc_mem_t *mctx, isc_buffer_t *buffer, dns_rdata_t *sigrdata) {
dns_rdata_rrsig_t sig;
dns_rdata_t tmpsigrdata;
dns_rdata_t *rdatas;
int nrdatas, i;
isc_buffer_t sigbuf, envbuf;
isc_region_t r;
dst_context_t *ctx = NULL;
isc_result_t ret;
isc_buffer_t *databuf = NULL;
char data[256 + 8];
unsigned int sigsize;
dns_fixedname_t fnewname;
dns_fixedname_t fsigner;
REQUIRE(name != NULL);
REQUIRE(dns_name_countlabels(name) <= 255);
REQUIRE(set != NULL);
REQUIRE(key != NULL);
REQUIRE(inception != NULL);
REQUIRE(expire != NULL);
REQUIRE(mctx != NULL);
REQUIRE(sigrdata != NULL);
if (*inception >= *expire) {
return DNS_R_INVALIDTIME;
}
sig.mctx = mctx;
sig.common.rdclass = set->rdclass;
sig.common.rdtype = dns_rdatatype_rrsig;
ISC_LINK_INIT(&sig.common, link);
/*
* Downcase signer.
*/
dns_name_init(&sig.signer, NULL);
dns_fixedname_init(&fsigner);
RUNTIME_CHECK(dns_name_downcase(dst_key_name(key),
dns_fixedname_name(&fsigner),
NULL) == ISC_R_SUCCESS);
dns_name_clone(dns_fixedname_name(&fsigner), &sig.signer);
sig.covered = set->type;
sig.algorithm = dst_key_alg(key);
sig.labels = dns_name_countlabels(name) - 1;
if (dns_name_iswildcard(name)) {
sig.labels--;
}
sig.originalttl = set->ttl;
sig.timesigned = *inception;
sig.timeexpire = *expire;
sig.keyid = dst_key_id(key);
ret = dst_key_sigsize(key, &sigsize);
if (ret != ISC_R_SUCCESS) {
return ret;
}
sig.siglen = sigsize;
/*
* The actual contents of sig.signature are not important yet, since
* they're not used in digest_sig().
*/
sig.signature = isc_mem_get(mctx, sig.siglen);
isc_buffer_allocate(mctx, &databuf, sigsize + 256 + 18);
dns_rdata_init(&tmpsigrdata);
ret = dns_rdata_fromstruct(&tmpsigrdata, sig.common.rdclass,
sig.common.rdtype, &sig, databuf);
if (ret != ISC_R_SUCCESS) {
goto cleanup_databuf;
}
ret = dst_context_create(key, mctx, DNS_LOGCATEGORY_DNSSEC, true, 0,
&ctx);
if (ret != ISC_R_SUCCESS) {
goto cleanup_databuf;
}
/*
* Digest the SIG rdata.
*/
ret = digest_sig(ctx, false, &tmpsigrdata, &sig);
if (ret != ISC_R_SUCCESS) {
goto cleanup_context;
}
dns_fixedname_init(&fnewname);
RUNTIME_CHECK(dns_name_downcase(name, dns_fixedname_name(&fnewname),
NULL) == ISC_R_SUCCESS);
dns_name_toregion(dns_fixedname_name(&fnewname), &r);
/*
* Create an envelope for each rdata: <name|type|class|ttl>.
*/
isc_buffer_init(&envbuf, data, sizeof(data));
memmove(data, r.base, r.length);
isc_buffer_add(&envbuf, r.length);
isc_buffer_putuint16(&envbuf, set->type);
isc_buffer_putuint16(&envbuf, set->rdclass);
isc_buffer_putuint32(&envbuf, set->ttl);
ret = rdataset_to_sortedarray(set, mctx, &rdatas, &nrdatas);
if (ret != ISC_R_SUCCESS) {
goto cleanup_context;
}
isc_buffer_usedregion(&envbuf, &r);
for (i = 0; i < nrdatas; i++) {
uint16_t len;
isc_buffer_t lenbuf;
isc_region_t lenr;
/*
* Skip duplicates.
*/
if (i > 0 && dns_rdata_compare(&rdatas[i], &rdatas[i - 1]) == 0)
{
continue;
}
/*
* Digest the envelope.
*/
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS) {
goto cleanup_array;
}
/*
* Digest the length of the rdata.
*/
isc_buffer_init(&lenbuf, &len, sizeof(len));
isc_buffer_putuint16(&lenbuf, (uint16_t)rdatas[i].length);
isc_buffer_usedregion(&lenbuf, &lenr);
ret = dst_context_adddata(ctx, &lenr);
if (ret != ISC_R_SUCCESS) {
goto cleanup_array;
}
/*
* Digest the rdata.
*/
ret = dns_rdata_digest(&rdatas[i], digest_callback, ctx);
if (ret != ISC_R_SUCCESS) {
goto cleanup_array;
}
}
isc_buffer_init(&sigbuf, sig.signature, sig.siglen);
ret = dst_context_sign(ctx, &sigbuf);
if (ret != ISC_R_SUCCESS) {
goto cleanup_array;
}
isc_buffer_usedregion(&sigbuf, &r);
if (r.length != sig.siglen) {
ret = ISC_R_NOSPACE;
goto cleanup_array;
}
ret = dns_rdata_fromstruct(sigrdata, sig.common.rdclass,
sig.common.rdtype, &sig, buffer);
cleanup_array:
isc_mem_cput(mctx, rdatas, nrdatas, sizeof(dns_rdata_t));
cleanup_context:
dst_context_destroy(&ctx);
cleanup_databuf:
isc_buffer_free(&databuf);
isc_mem_put(mctx, sig.signature, sig.siglen);
return ret;
}
isc_result_t
dns_dnssec_verify(const dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
bool ignoretime, unsigned int maxbits, isc_mem_t *mctx,
dns_rdata_t *sigrdata, dns_name_t *wild) {
dns_rdata_rrsig_t sig;
dns_fixedname_t fnewname;
isc_region_t r;
isc_buffer_t envbuf;
dns_rdata_t *rdatas;
int nrdatas, i;
isc_stdtime_t now;
isc_result_t ret;
unsigned char data[300];
dst_context_t *ctx = NULL;
int labels = 0;
bool downcase = false;
REQUIRE(name != NULL);
REQUIRE(set != NULL);
REQUIRE(key != NULL);
REQUIRE(mctx != NULL);
REQUIRE(sigrdata != NULL && sigrdata->type == dns_rdatatype_rrsig);
ret = dns_rdata_tostruct(sigrdata, &sig, NULL);
if (ret != ISC_R_SUCCESS) {
return ret;
}
if (set->type != sig.covered) {
return DNS_R_SIGINVALID;
}
if (isc_serial_lt(sig.timeexpire, sig.timesigned)) {
inc_stat(dns_dnssecstats_fail);
return DNS_R_SIGINVALID;
}
if (!ignoretime) {
now = isc_stdtime_now();
/*
* Is SIG temporally valid?
*/
if (isc_serial_lt((uint32_t)now, sig.timesigned)) {
inc_stat(dns_dnssecstats_fail);
return DNS_R_SIGFUTURE;
} else if (isc_serial_lt(sig.timeexpire, (uint32_t)now)) {
inc_stat(dns_dnssecstats_fail);
return DNS_R_SIGEXPIRED;
}
}
/*
* NS, SOA and DNSSKEY records are signed by their owner.
* DS records are signed by the parent.
*/
switch (set->type) {
case dns_rdatatype_ns:
case dns_rdatatype_soa:
case dns_rdatatype_dnskey:
if (!dns_name_equal(name, &sig.signer)) {
inc_stat(dns_dnssecstats_fail);
return DNS_R_SIGINVALID;
}
break;
case dns_rdatatype_ds:
if (dns_name_equal(name, &sig.signer)) {
inc_stat(dns_dnssecstats_fail);
return DNS_R_SIGINVALID;
}
FALLTHROUGH;
default:
if (!dns_name_issubdomain(name, &sig.signer)) {
inc_stat(dns_dnssecstats_fail);
return DNS_R_SIGINVALID;
}
break;
}
again:
ret = dst_context_create(key, mctx, DNS_LOGCATEGORY_DNSSEC, false,
maxbits, &ctx);
if (ret != ISC_R_SUCCESS) {
goto cleanup_struct;
}
/*
* Digest the SIG rdata (not including the signature).
*/
ret = digest_sig(ctx, downcase, sigrdata, &sig);
if (ret != ISC_R_SUCCESS) {
goto cleanup_context;
}
/*
* If the name is an expanded wildcard, use the wildcard name.
*/
dns_fixedname_init(&fnewname);
labels = dns_name_countlabels(name) - 1;
RUNTIME_CHECK(dns_name_downcase(name, dns_fixedname_name(&fnewname),
NULL) == ISC_R_SUCCESS);
if (labels - sig.labels > 0) {
dns_name_split(dns_fixedname_name(&fnewname), sig.labels + 1,
NULL, dns_fixedname_name(&fnewname));
}
dns_name_toregion(dns_fixedname_name(&fnewname), &r);
/*
* Create an envelope for each rdata: <name|type|class|ttl>.
*/
isc_buffer_init(&envbuf, data, sizeof(data));
if (labels - sig.labels > 0) {
isc_buffer_putuint8(&envbuf, 1);
isc_buffer_putuint8(&envbuf, '*');
memmove(data + 2, r.base, r.length);
} else {
memmove(data, r.base, r.length);
}
isc_buffer_add(&envbuf, r.length);
isc_buffer_putuint16(&envbuf, set->type);
isc_buffer_putuint16(&envbuf, set->rdclass);
isc_buffer_putuint32(&envbuf, sig.originalttl);
ret = rdataset_to_sortedarray(set, mctx, &rdatas, &nrdatas);
if (ret != ISC_R_SUCCESS) {
goto cleanup_context;
}
isc_buffer_usedregion(&envbuf, &r);
for (i = 0; i < nrdatas; i++) {
uint16_t len;
isc_buffer_t lenbuf;
isc_region_t lenr;
/*
* Skip duplicates.
*/
if (i > 0 && dns_rdata_compare(&rdatas[i], &rdatas[i - 1]) == 0)
{
continue;
}
/*
* Digest the envelope.
*/
ret = dst_context_adddata(ctx, &r);
if (ret != ISC_R_SUCCESS) {
goto cleanup_array;
}
/*
* Digest the rdata length.
*/
isc_buffer_init(&lenbuf, &len, sizeof(len));
isc_buffer_putuint16(&lenbuf, (uint16_t)rdatas[i].length);
isc_buffer_usedregion(&lenbuf, &lenr);
/*
* Digest the rdata.
*/
ret = dst_context_adddata(ctx, &lenr);
if (ret != ISC_R_SUCCESS) {
goto cleanup_array;
}
ret = dns_rdata_digest(&rdatas[i], digest_callback, ctx);
if (ret != ISC_R_SUCCESS) {
goto cleanup_array;
}
}
r.base = sig.signature;
r.length = sig.siglen;
ret = dst_context_verify2(ctx, maxbits, &r);
if (ret == ISC_R_SUCCESS && downcase) {
char namebuf[DNS_NAME_FORMATSIZE];
dns_name_format(&sig.signer, namebuf, sizeof(namebuf));
isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
DNS_LOGMODULE_DNSSEC, ISC_LOG_DEBUG(1),
"successfully validated after lower casing "
"signer '%s'",
namebuf);
inc_stat(dns_dnssecstats_downcase);
} else if (ret == ISC_R_SUCCESS) {
inc_stat(dns_dnssecstats_asis);
}
cleanup_array:
isc_mem_cput(mctx, rdatas, nrdatas, sizeof(dns_rdata_t));
cleanup_context:
dst_context_destroy(&ctx);
if (ret == DST_R_VERIFYFAILURE && !downcase) {
downcase = true;
goto again;
}
cleanup_struct:
dns_rdata_freestruct(&sig);
if (ret == DST_R_VERIFYFAILURE) {
ret = DNS_R_SIGINVALID;
}
if (ret != ISC_R_SUCCESS) {
inc_stat(dns_dnssecstats_fail);
}
if (ret == ISC_R_SUCCESS && labels - sig.labels > 0) {
if (wild != NULL) {
RUNTIME_CHECK(dns_name_concatenate(
dns_wildcardname,
dns_fixedname_name(&fnewname),
wild, NULL) == ISC_R_SUCCESS);
}
inc_stat(dns_dnssecstats_wildcard);
ret = DNS_R_FROMWILDCARD;
}
return ret;
}
bool
dns_dnssec_keyactive(dst_key_t *key, isc_stdtime_t now) {
isc_result_t result;
isc_stdtime_t publish, active, revoke, remove;
bool hint_publish, hint_zsign, hint_ksign, hint_revoke, hint_remove;
int major, minor;
bool ksk = false, zsk = false;
isc_result_t ret;
/* Is this an old-style key? */
result = dst_key_getprivateformat(key, &major, &minor);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
/* Is this a KSK? */
ret = dst_key_getbool(key, DST_BOOL_KSK, &ksk);
if (ret != ISC_R_SUCCESS) {
ksk = ((dst_key_flags(key) & DNS_KEYFLAG_KSK) != 0);
}
ret = dst_key_getbool(key, DST_BOOL_ZSK, &zsk);
if (ret != ISC_R_SUCCESS) {
zsk = ((dst_key_flags(key) & DNS_KEYFLAG_KSK) == 0);
}
/*
* Smart signing started with key format 1.3; prior to that, all
* keys are assumed active.
*/
if (major == 1 && minor <= 2) {
return true;
}
hint_publish = dst_key_is_published(key, now, &publish);
hint_zsign = dst_key_is_signing(key, DST_BOOL_ZSK, now, &active);
hint_ksign = dst_key_is_signing(key, DST_BOOL_KSK, now, &active);
hint_revoke = dst_key_is_revoked(key, now, &revoke);
hint_remove = dst_key_is_removed(key, now, &remove);
if (hint_remove) {
return false;
}
if (hint_publish && hint_revoke) {
return true;
}
if (hint_zsign && zsk) {
return true;
}
if (hint_ksign && ksk) {
return true;
}
return false;
}
/*%<
* Indicate whether a key is scheduled to to have CDS/CDNSKEY records
* published now.
*
* Returns true if.
* - kasp says the DS record should be published (e.g. the DS state is in
* RUMOURED or OMNIPRESENT state).
* Or:
* - SyncPublish is set and in the past, AND
* - SyncDelete is unset or in the future
*/
static bool
syncpublish(dst_key_t *key, isc_stdtime_t now) {
isc_result_t result;
isc_stdtime_t when;
dst_key_state_t state;
int major, minor;
bool publish;
/*
* Is this an old-style key?
*/
result = dst_key_getprivateformat(key, &major, &minor);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
/*
* Smart signing started with key format 1.3
*/
if (major == 1 && minor <= 2) {
return false;
}
/* Check kasp state first. */
result = dst_key_getstate(key, DST_KEY_DS, &state);
if (result == ISC_R_SUCCESS) {
return state == DST_KEY_STATE_RUMOURED ||
state == DST_KEY_STATE_OMNIPRESENT;
}
/* If no kasp state, check timings. */
publish = false;
result = dst_key_gettime(key, DST_TIME_SYNCPUBLISH, &when);
if (result == ISC_R_SUCCESS && when <= now) {
publish = true;
}
result = dst_key_gettime(key, DST_TIME_SYNCDELETE, &when);
if (result == ISC_R_SUCCESS && when < now) {
publish = false;
}
return publish;
}
/*%<
* Indicate whether a key is scheduled to to have CDS/CDNSKEY records
* deleted now.
*
* Returns true if:
* - kasp says the DS record should be unpublished (e.g. the DS state is in
* UNRETENTIVE or HIDDEN state).
* Or:
* - SyncDelete is set and in the past.
*/
static bool
syncdelete(dst_key_t *key, isc_stdtime_t now) {
isc_result_t result;
isc_stdtime_t when;
dst_key_state_t state;
int major, minor;
/*
* Is this an old-style key?
*/
result = dst_key_getprivateformat(key, &major, &minor);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
/*
* Smart signing started with key format 1.3.
*/
if (major == 1 && minor <= 2) {
return false;
}
/* Check kasp state first. */
result = dst_key_getstate(key, DST_KEY_DS, &state);
if (result == ISC_R_SUCCESS) {
return state == DST_KEY_STATE_UNRETENTIVE ||
state == DST_KEY_STATE_HIDDEN;
}
/* If no kasp state, check timings. */
result = dst_key_gettime(key, DST_TIME_SYNCDELETE, &when);
if (result != ISC_R_SUCCESS) {
return false;
}
if (when <= now) {
return true;
}
return false;
}
#define is_zone_key(key) \
((dst_key_flags(key) & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE)
isc_result_t
dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key) {
dns_rdata_sig_t sig; /* SIG(0) */
unsigned char data[512];
unsigned char header[DNS_MESSAGE_HEADERLEN];
isc_buffer_t headerbuf, databuf, sigbuf;
unsigned int sigsize;
isc_buffer_t *dynbuf = NULL;
dns_rdata_t *rdata;
dns_rdatalist_t *datalist;
dns_rdataset_t *dataset;
isc_region_t r;
isc_stdtime_t now;
dst_context_t *ctx = NULL;
isc_mem_t *mctx;
isc_result_t result;
REQUIRE(msg != NULL);
REQUIRE(key != NULL);
if (is_response(msg)) {
REQUIRE(msg->query.base != NULL);
}
mctx = msg->mctx;
memset(&sig, 0, sizeof(sig));
sig.mctx = mctx;
sig.common.rdclass = dns_rdataclass_any;
sig.common.rdtype = dns_rdatatype_sig; /* SIG(0) */
ISC_LINK_INIT(&sig.common, link);
sig.covered = 0;
sig.algorithm = dst_key_alg(key);
sig.labels = 0; /* the root name */
sig.originalttl = 0;
if (msg->fuzzing) {
now = msg->fuzztime;
} else {
now = isc_stdtime_now();
}
sig.timesigned = now - DNS_TSIG_FUDGE;
sig.timeexpire = now + DNS_TSIG_FUDGE;
sig.keyid = dst_key_id(key);
dns_name_init(&sig.signer, NULL);
dns_name_clone(dst_key_name(key), &sig.signer);
sig.siglen = 0;
sig.signature = NULL;
isc_buffer_init(&databuf, data, sizeof(data));
RETERR(dst_context_create(key, mctx, DNS_LOGCATEGORY_DNSSEC, true, 0,
&ctx));
/*
* Digest the fields of the SIG - we can cheat and use
* dns_rdata_fromstruct. Since siglen is 0, the digested data
* is identical to dns format.
*/
RETERR(dns_rdata_fromstruct(NULL, dns_rdataclass_any,
dns_rdatatype_sig /* SIG(0) */, &sig,
&databuf));
isc_buffer_usedregion(&databuf, &r);
RETERR(dst_context_adddata(ctx, &r));
/*
* If this is a response, digest the query.
*/
if (is_response(msg)) {
RETERR(dst_context_adddata(ctx, &msg->query));
}
/*
* Digest the header.
*/
isc_buffer_init(&headerbuf, header, sizeof(header));
dns_message_renderheader(msg, &headerbuf);
isc_buffer_usedregion(&headerbuf, &r);
RETERR(dst_context_adddata(ctx, &r));
/*
* Digest the remainder of the message.
*/
isc_buffer_usedregion(msg->buffer, &r);
isc_region_consume(&r, DNS_MESSAGE_HEADERLEN);
RETERR(dst_context_adddata(ctx, &r));
RETERR(dst_key_sigsize(key, &sigsize));
sig.siglen = sigsize;
sig.signature = isc_mem_get(mctx, sig.siglen);
isc_buffer_init(&sigbuf, sig.signature, sig.siglen);
RETERR(dst_context_sign(ctx, &sigbuf));
dst_context_destroy(&ctx);
rdata = NULL;
dns_message_gettemprdata(msg, &rdata);
isc_buffer_allocate(msg->mctx, &dynbuf, 1024);
RETERR(dns_rdata_fromstruct(rdata, dns_rdataclass_any,
dns_rdatatype_sig /* SIG(0) */, &sig,
dynbuf));
isc_mem_put(mctx, sig.signature, sig.siglen);
dns_message_takebuffer(msg, &dynbuf);
datalist = NULL;
dns_message_gettemprdatalist(msg, &datalist);
datalist->rdclass = dns_rdataclass_any;
datalist->type = dns_rdatatype_sig; /* SIG(0) */
ISC_LIST_APPEND(datalist->rdata, rdata, link);
dataset = NULL;
dns_message_gettemprdataset(msg, &dataset);
dns_rdatalist_tordataset(datalist, dataset);
msg->sig0 = dataset;
return ISC_R_SUCCESS;
failure:
if (dynbuf != NULL) {
isc_buffer_free(&dynbuf);
}
if (sig.signature != NULL) {
isc_mem_put(mctx, sig.signature, sig.siglen);
}
if (ctx != NULL) {
dst_context_destroy(&ctx);
}
return result;
}
isc_result_t
dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
dst_key_t *key) {
dns_rdata_sig_t sig; /* SIG(0) */
unsigned char header[DNS_MESSAGE_HEADERLEN];
dns_rdata_t rdata = DNS_RDATA_INIT;
isc_region_t r, source_r, sig_r, header_r;
isc_stdtime_t now;
dst_context_t *ctx = NULL;
isc_mem_t *mctx;
isc_result_t result;
uint16_t addcount, addcount_n;
bool signeedsfree = false;
REQUIRE(source != NULL);
REQUIRE(msg != NULL);
REQUIRE(key != NULL);
mctx = msg->mctx;
msg->verify_attempted = 1;
msg->verified_sig = 0;
msg->sig0status = dns_tsigerror_badsig;
if (is_response(msg)) {
if (msg->query.base == NULL) {
return DNS_R_UNEXPECTEDTSIG;
}
}
isc_buffer_usedregion(source, &source_r);
RETERR(dns_rdataset_first(msg->sig0));
dns_rdataset_current(msg->sig0, &rdata);
RETERR(dns_rdata_tostruct(&rdata, &sig, NULL));
signeedsfree = true;
if (sig.labels != 0) {
result = DNS_R_SIGINVALID;
goto failure;
}
if (isc_serial_lt(sig.timeexpire, sig.timesigned)) {
result = DNS_R_SIGINVALID;
msg->sig0status = dns_tsigerror_badtime;
goto failure;
}
if (msg->fuzzing) {
now = msg->fuzztime;
} else {
now = isc_stdtime_now();
}
if (isc_serial_lt((uint32_t)now, sig.timesigned)) {
result = DNS_R_SIGFUTURE;
msg->sig0status = dns_tsigerror_badtime;
goto failure;
} else if (isc_serial_lt(sig.timeexpire, (uint32_t)now)) {
result = DNS_R_SIGEXPIRED;
msg->sig0status = dns_tsigerror_badtime;
goto failure;
}
if (!dns_name_equal(dst_key_name(key), &sig.signer)) {
result = DNS_R_SIGINVALID;
msg->sig0status = dns_tsigerror_badkey;
goto failure;
}
RETERR(dst_context_create(key, mctx, DNS_LOGCATEGORY_DNSSEC, false, 0,
&ctx));
/*
* Digest the SIG(0) record, except for the signature.
*/
dns_rdata_toregion(&rdata, &r);
r.length -= sig.siglen;
RETERR(dst_context_adddata(ctx, &r));
/*
* If this is a response, digest the query.
*/
if (is_response(msg)) {
RETERR(dst_context_adddata(ctx, &msg->query));
}
/*
* Extract the header.
*/
memmove(header, source_r.base, DNS_MESSAGE_HEADERLEN);
/*
* Decrement the additional field counter.
*/
memmove(&addcount, &header[DNS_MESSAGE_HEADERLEN - 2], 2);
addcount_n = ntohs(addcount);
addcount = htons((uint16_t)(addcount_n - 1));
memmove(&header[DNS_MESSAGE_HEADERLEN - 2], &addcount, 2);
/*
* Digest the modified header.
*/
header_r.base = (unsigned char *)header;
header_r.length = DNS_MESSAGE_HEADERLEN;
RETERR(dst_context_adddata(ctx, &header_r));
/*
* Digest all non-SIG(0) records.
*/
r.base = source_r.base + DNS_MESSAGE_HEADERLEN;
r.length = msg->sigstart - DNS_MESSAGE_HEADERLEN;
RETERR(dst_context_adddata(ctx, &r));
sig_r.base = sig.signature;
sig_r.length = sig.siglen;
result = dst_context_verify(ctx, &sig_r);
if (result != ISC_R_SUCCESS) {
msg->sig0status = dns_tsigerror_badsig;
goto failure;
}
msg->verified_sig = 1;
msg->sig0status = dns_rcode_noerror;
dst_context_destroy(&ctx);
dns_rdata_freestruct(&sig);
return ISC_R_SUCCESS;
failure:
if (signeedsfree) {
dns_rdata_freestruct(&sig);
}
if (ctx != NULL) {
dst_context_destroy(&ctx);
}
return result;
}
/*%
* Does this key ('rdata') self sign the rrset ('rdataset')?
*/
bool
dns_dnssec_selfsigns(dns_rdata_t *rdata, const dns_name_t *name,
dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
bool ignoretime, isc_mem_t *mctx) {
INSIST(rdataset->type == dns_rdatatype_key ||
rdataset->type == dns_rdatatype_dnskey);
if (rdataset->type == dns_rdatatype_key) {
INSIST(sigrdataset->type == dns_rdatatype_sig);
INSIST(sigrdataset->covers == dns_rdatatype_key);
} else {
INSIST(sigrdataset->type == dns_rdatatype_rrsig);
INSIST(sigrdataset->covers == dns_rdatatype_dnskey);
}
return dns_dnssec_signs(rdata, name, rdataset, sigrdataset, ignoretime,
mctx);
}
bool
dns_dnssec_signs(dns_rdata_t *rdata, const dns_name_t *name,
dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
bool ignoretime, isc_mem_t *mctx) {
dst_key_t *dstkey = NULL;
dns_keytag_t keytag;
dns_rdata_dnskey_t key;
dns_rdata_rrsig_t sig;
dns_rdata_t sigrdata = DNS_RDATA_INIT;
isc_result_t result;
INSIST(sigrdataset->type == dns_rdatatype_rrsig);
if (sigrdataset->covers != rdataset->type) {
return false;
}
result = dns_dnssec_keyfromrdata(name, rdata, mctx, &dstkey);
if (result != ISC_R_SUCCESS) {
return false;
}
result = dns_rdata_tostruct(rdata, &key, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
keytag = dst_key_id(dstkey);
for (result = dns_rdataset_first(sigrdataset); result == ISC_R_SUCCESS;
result = dns_rdataset_next(sigrdataset))
{
dns_rdata_reset(&sigrdata);
dns_rdataset_current(sigrdataset, &sigrdata);
result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
if (sig.algorithm == key.algorithm && sig.keyid == keytag) {
result = dns_dnssec_verify(name, rdataset, dstkey,
ignoretime, 0, mctx,
&sigrdata, NULL);
if (result == ISC_R_SUCCESS) {
dst_key_free(&dstkey);
return true;
}
}
}
dst_key_free(&dstkey);
return false;
}
void
dns_dnsseckey_create(isc_mem_t *mctx, dst_key_t **dstkey,
dns_dnsseckey_t **dkp) {
isc_result_t result;
dns_dnsseckey_t *dk;
int major, minor;
REQUIRE(dkp != NULL && *dkp == NULL);
dk = isc_mem_get(mctx, sizeof(dns_dnsseckey_t));
dk->key = *dstkey;
*dstkey = NULL;
dk->force_publish = false;
dk->force_sign = false;
dk->hint_publish = false;
dk->hint_sign = false;
dk->hint_revoke = false;
dk->hint_remove = false;
dk->first_sign = false;
dk->is_active = false;
dk->pubkey = false;
dk->purge = false;
dk->prepublish = 0;
dk->source = dns_keysource_unknown;
dk->index = 0;
/* KSK or ZSK? */
result = dst_key_getbool(dk->key, DST_BOOL_KSK, &dk->ksk);
if (result != ISC_R_SUCCESS) {
dk->ksk = ((dst_key_flags(dk->key) & DNS_KEYFLAG_KSK) != 0);
}
result = dst_key_getbool(dk->key, DST_BOOL_ZSK, &dk->zsk);
if (result != ISC_R_SUCCESS) {
dk->zsk = ((dst_key_flags(dk->key) & DNS_KEYFLAG_KSK) == 0);
}
/* Is this an old-style key? */
result = dst_key_getprivateformat(dk->key, &major, &minor);
INSIST(result == ISC_R_SUCCESS);
/* Smart signing started with key format 1.3 */
dk->legacy = (major == 1 && minor <= 2);
ISC_LINK_INIT(dk, link);
*dkp = dk;
}
void
dns_dnsseckey_destroy(isc_mem_t *mctx, dns_dnsseckey_t **dkp) {
dns_dnsseckey_t *dk;
REQUIRE(dkp != NULL && *dkp != NULL);
dk = *dkp;
*dkp = NULL;
if (dk->key != NULL) {
dst_key_free(&dk->key);
}
isc_mem_put(mctx, dk, sizeof(dns_dnsseckey_t));
}
void
dns_dnssec_get_hints(dns_dnsseckey_t *key, isc_stdtime_t now) {
isc_stdtime_t publish = 0, active = 0, revoke = 0, remove = 0;
REQUIRE(key != NULL && key->key != NULL);
key->hint_publish = dst_key_is_published(key->key, now, &publish);
key->hint_sign = dst_key_is_signing(key->key, DST_BOOL_ZSK, now,
&active);
key->hint_revoke = dst_key_is_revoked(key->key, now, &revoke);
key->hint_remove = dst_key_is_removed(key->key, now, &remove);
/*
* Activation date is set (maybe in the future), but publication date
* isn't. Most likely the user wants to publish now and activate later.
* Most likely because this is true for most rollovers, except for:
* 1. The unpopular ZSK Double-RRSIG method.
* 2. When introducing a new algorithm.
* These two cases are rare enough that we will set hint_publish
* anyway when hint_sign is set, because BIND 9 natively does not
* support the ZSK Double-RRSIG method, and when introducing a new
* algorithm, we strive to publish its signatures and DNSKEY records
* at the same time.
*/
if (key->hint_sign && publish == 0) {
key->hint_publish = true;
}
/*
* If activation date is in the future, make note of how far off.
*/
if (key->hint_publish && active > now) {
key->prepublish = active - now;
}
/*
* Metadata says revoke. If the key is published, we *have to* sign
* with it per RFC5011 -- even if it was not active before.
*
* If it hasn't already been done, we should also revoke it now.
*/
if (key->hint_publish && key->hint_revoke) {
uint32_t flags;
key->hint_sign = true;
flags = dst_key_flags(key->key);
if ((flags & DNS_KEYFLAG_REVOKE) == 0) {
flags |= DNS_KEYFLAG_REVOKE;
dst_key_setflags(key->key, flags);
}
}
/*
* Metadata says delete, so don't publish this key or sign with it
* (note that signatures of a removed key may still be reused).
*/
if (key->hint_remove) {
key->hint_publish = false;
key->hint_sign = false;
}
}
static isc_result_t
findmatchingkeys(const char *directory, char *namebuf, unsigned int len,
isc_mem_t *mctx, isc_stdtime_t now,
dns_dnsseckeylist_t *list) {
isc_result_t result = ISC_R_SUCCESS;
isc_dir_t dir;
bool dir_open = false;
unsigned int i, alg;
dns_dnsseckey_t *key = NULL;
dst_key_t *dstkey = NULL;
isc_dir_init(&dir);
if (directory == NULL) {
directory = ".";
}
RETERR(isc_dir_open(&dir, directory));
dir_open = true;
while (isc_dir_read(&dir) == ISC_R_SUCCESS) {
if (dir.entry.name[0] != 'K' || dir.entry.length < len + 1 ||
dir.entry.name[len + 1] != '+' ||
strncasecmp(dir.entry.name + 1, namebuf, len) != 0)
{
continue;
}
alg = 0;
for (i = len + 1 + 1; i < dir.entry.length; i++) {
if (!isdigit((unsigned char)dir.entry.name[i])) {
break;
}
alg *= 10;
alg += dir.entry.name[i] - '0';
}
/*
* Did we not read exactly 3 digits?
* Did we overflow?
* Did we correctly terminate?
*/
if (i != len + 1 + 1 + 3 || i >= dir.entry.length ||
dir.entry.name[i] != '+')
{
continue;
}
for (i++; i < dir.entry.length; i++) {
if (!isdigit((unsigned char)dir.entry.name[i])) {
break;
}
}
/*
* Did we not read exactly 5 more digits?
* Did we overflow?
* Did we correctly terminate?
*/
if (i != len + 1 + 1 + 3 + 1 + 5 || i >= dir.entry.length ||
strcmp(dir.entry.name + i, ".private") != 0)
{
continue;
}
dstkey = NULL;
result = dst_key_fromnamedfile(
dir.entry.name, directory,
DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_STATE,
mctx, &dstkey);
switch (alg) {
case DST_ALG_HMACMD5:
case DST_ALG_HMACSHA1:
case DST_ALG_HMACSHA224:
case DST_ALG_HMACSHA256:
case DST_ALG_HMACSHA384:
case DST_ALG_HMACSHA512:
if (result == DST_R_BADKEYTYPE) {
continue;
}
}
if (result != ISC_R_SUCCESS) {
isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
DNS_LOGMODULE_DNSSEC, ISC_LOG_WARNING,
"dns_dnssec_findmatchingkeys: "
"error reading key file %s: %s",
dir.entry.name,
isc_result_totext(result));
continue;
}
dns_dnsseckey_create(mctx, &dstkey, &key);
key->source = dns_keysource_repository;
dns_dnssec_get_hints(key, now);
if (key->legacy) {
dns_dnsseckey_destroy(mctx, &key);
} else {
ISC_LIST_APPEND(*list, key, link);
key = NULL;
}
}
failure:
if (dir_open) {
isc_dir_close(&dir);
}
if (dstkey != NULL) {
dst_key_free(&dstkey);
}
return result;
}
/*%
* Get a list of DNSSEC keys from the key repository.
*/
isc_result_t
dns_dnssec_findmatchingkeys(const dns_name_t *origin, dns_kasp_t *kasp,
const char *keydir, dns_keystorelist_t *keystores,
isc_stdtime_t now, isc_mem_t *mctx,
dns_dnsseckeylist_t *keylist) {
isc_result_t result = ISC_R_SUCCESS;
dns_dnsseckeylist_t list;
dns_dnsseckey_t *key = NULL;
char namebuf[DNS_NAME_FORMATSIZE];
isc_buffer_t b;
unsigned int len;
REQUIRE(keylist != NULL);
ISC_LIST_INIT(list);
isc_buffer_init(&b, namebuf, sizeof(namebuf) - 1);
RETERR(dns_name_tofilenametext(origin, false, &b));
len = isc_buffer_usedlength(&b);
namebuf[len] = '\0';
if (kasp == NULL || (strcmp(dns_kasp_getname(kasp), "none") == 0) ||
(strcmp(dns_kasp_getname(kasp), "insecure") == 0))
{
RETERR(findmatchingkeys(keydir, namebuf, len, mctx, now,
&list));
} else if (keystores != NULL) {
for (dns_keystore_t *keystore = ISC_LIST_HEAD(*keystores);
keystore != NULL; keystore = ISC_LIST_NEXT(keystore, link))
{
for (dns_kasp_key_t *kkey =
ISC_LIST_HEAD(dns_kasp_keys(kasp));
kkey != NULL; kkey = ISC_LIST_NEXT(kkey, link))
{
if (dns_kasp_key_keystore(kkey) == keystore) {
const char *directory =
dns_keystore_directory(keystore,
keydir);
RETERR(findmatchingkeys(
directory, namebuf, len, mctx,
now, &list));
break;
}
}
}
}
if (!ISC_LIST_EMPTY(list)) {
result = ISC_R_SUCCESS;
ISC_LIST_APPENDLIST(*keylist, list, link);
} else {
result = ISC_R_NOTFOUND;
}
failure:
while ((key = ISC_LIST_HEAD(list)) != NULL) {
ISC_LIST_UNLINK(list, key, link);
INSIST(key->key != NULL);
dst_key_free(&key->key);
dns_dnsseckey_destroy(mctx, &key);
}
return result;
}
/*%
* Add 'newkey' to 'keylist' if it's not already there.
*
* If 'savekeys' is true, then we need to preserve all
* the keys in the keyset, regardless of whether they have
* metadata indicating they should be deactivated or removed.
*/
static void
addkey(dns_dnsseckeylist_t *keylist, dst_key_t **newkey, bool savekeys,
bool pubkey_only, isc_mem_t *mctx) {
dns_dnsseckey_t *key = NULL;
/* Skip duplicates */
for (key = ISC_LIST_HEAD(*keylist); key != NULL;
key = ISC_LIST_NEXT(key, link))
{
if (dst_key_id(key->key) == dst_key_id(*newkey) &&
dst_key_alg(key->key) == dst_key_alg(*newkey) &&
dns_name_equal(dst_key_name(key->key),
dst_key_name(*newkey)))
{
break;
}
}
if (key != NULL) {
/*
* Found a match. If we already had a private key, then
* the new key can't be an improvement. If the existing
* key was public-only but the new key is too, then it's
* still not an improvement. Mark the old key as having
* been found in the zone and stop.
*/
if (dst_key_isprivate(key->key) || !dst_key_isprivate(*newkey))
{
key->source = dns_keysource_zoneapex;
return;
}
/*
* However, if the old key was public-only, and the new key
* is private, then we're throwing away the old key.
*/
dst_key_free(&key->key);
ISC_LIST_UNLINK(*keylist, key, link);
dns_dnsseckey_destroy(mctx, &key);
}
/* Store the new key. */
dns_dnsseckey_create(mctx, newkey, &key);
key->source = dns_keysource_zoneapex;
key->pubkey = pubkey_only;
if (key->legacy || savekeys) {
key->force_publish = true;
key->force_sign = dst_key_isprivate(key->key);
}
ISC_LIST_APPEND(*keylist, key, link);
*newkey = NULL;
}
/*%
* Mark all keys which signed the DNSKEY/SOA RRsets as "active",
* for future reference.
*/
static isc_result_t
mark_active_keys(dns_dnsseckeylist_t *keylist, dns_rdataset_t *rrsigs) {
isc_result_t result = ISC_R_SUCCESS;
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_t sigs;
dns_dnsseckey_t *key;
REQUIRE(rrsigs != NULL && dns_rdataset_isassociated(rrsigs));
dns_rdataset_init(&sigs);
dns_rdataset_clone(rrsigs, &sigs);
for (key = ISC_LIST_HEAD(*keylist); key != NULL;
key = ISC_LIST_NEXT(key, link))
{
uint16_t keyid, sigid;
dns_secalg_t keyalg, sigalg;
keyid = dst_key_id(key->key);
keyalg = dst_key_alg(key->key);
for (result = dns_rdataset_first(&sigs);
result == ISC_R_SUCCESS; result = dns_rdataset_next(&sigs))
{
dns_rdata_rrsig_t sig;
dns_rdata_reset(&rdata);
dns_rdataset_current(&sigs, &rdata);
result = dns_rdata_tostruct(&rdata, &sig, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
sigalg = sig.algorithm;
sigid = sig.keyid;
if (keyid == sigid && keyalg == sigalg) {
key->is_active = true;
break;
}
}
}
if (result == ISC_R_NOMORE) {
result = ISC_R_SUCCESS;
}
if (dns_rdataset_isassociated(&sigs)) {
dns_rdataset_disassociate(&sigs);
}
return result;
}
static isc_result_t
keyfromfile(dns_kasp_t *kasp, const char *keydir, dst_key_t *key, int type,
isc_mem_t *mctx, dst_key_t **savekey) {
const char *directory = keydir;
isc_result_t result = ISC_R_NOTFOUND;
if (kasp == NULL || (strcmp(dns_kasp_getname(kasp), "none") == 0) ||
(strcmp(dns_kasp_getname(kasp), "insecure") == 0))
{
result = dst_key_fromfile(dst_key_name(key), dst_key_id(key),
dst_key_alg(key), type, directory,
mctx, savekey);
} else {
for (dns_kasp_key_t *kkey = ISC_LIST_HEAD(dns_kasp_keys(kasp));
kkey != NULL; kkey = ISC_LIST_NEXT(kkey, link))
{
dns_keystore_t *ks = dns_kasp_key_keystore(kkey);
directory = dns_keystore_directory(ks, keydir);
result = dst_key_fromfile(dst_key_name(key),
dst_key_id(key),
dst_key_alg(key), type,
directory, mctx, savekey);
if (result == ISC_R_SUCCESS) {
break;
}
}
}
return result;
}
/*%
* Add the contents of a DNSKEY rdataset 'keyset' to 'keylist'.
*/
isc_result_t
dns_dnssec_keylistfromrdataset(const dns_name_t *origin, dns_kasp_t *kasp,
const char *directory, isc_mem_t *mctx,
dns_rdataset_t *keyset, dns_rdataset_t *keysigs,
dns_rdataset_t *soasigs, bool savekeys,
bool publickey, dns_dnsseckeylist_t *keylist) {
dns_rdataset_t keys;
dns_rdata_t rdata = DNS_RDATA_INIT;
dst_key_t *dnskey = NULL, *pubkey = NULL, *privkey = NULL;
isc_result_t result;
REQUIRE(keyset != NULL && dns_rdataset_isassociated(keyset));
dns_rdataset_init(&keys);
dns_rdataset_clone(keyset, &keys);
for (result = dns_rdataset_first(&keys); result == ISC_R_SUCCESS;
result = dns_rdataset_next(&keys))
{
dns_rdata_reset(&rdata);
dns_rdataset_current(&keys, &rdata);
REQUIRE(rdata.type == dns_rdatatype_key ||
rdata.type == dns_rdatatype_dnskey);
REQUIRE(rdata.length > 3);
/* Skip unsupported algorithms */
if (!dst_algorithm_supported(rdata.data[3])) {
goto skip;
}
RETERR(dns_dnssec_keyfromrdata(origin, &rdata, mctx, &dnskey));
dst_key_setttl(dnskey, keys.ttl);
if (!is_zone_key(dnskey)) {
goto skip;
}
/* Corrupted .key file? */
if (!dns_name_equal(origin, dst_key_name(dnskey))) {
goto skip;
}
if (publickey) {
addkey(keylist, &dnskey, savekeys, true, mctx);
goto skip;
}
/* Try to read the public key. */
result = keyfromfile(kasp, directory, dnskey,
(DST_TYPE_PUBLIC | DST_TYPE_STATE), mctx,
&pubkey);
if (result == ISC_R_FILENOTFOUND || result == ISC_R_NOPERM) {
result = ISC_R_SUCCESS;
}
RETERR(result);
if (kasp != NULL && dns_kasp_offlineksk(kasp) &&
(dst_key_flags(dnskey) & DNS_KEYFLAG_KSK) != 0)
{
result = ISC_R_NOPERM;
goto addkey;
}
/* Now read the private key. */
result = keyfromfile(
kasp, directory, dnskey,
(DST_TYPE_PUBLIC | DST_TYPE_PRIVATE | DST_TYPE_STATE),
mctx, &privkey);
/*
* If the key was revoked and the private file
* doesn't exist, maybe it was revoked internally
* by named. Try loading the unrevoked version.
*/
if (result == ISC_R_FILENOTFOUND) {
uint32_t flags;
flags = dst_key_flags(dnskey);
if ((flags & DNS_KEYFLAG_REVOKE) != 0) {
dst_key_setflags(dnskey,
flags & ~DNS_KEYFLAG_REVOKE);
result = keyfromfile(kasp, directory, dnskey,
(DST_TYPE_PUBLIC |
DST_TYPE_PRIVATE |
DST_TYPE_STATE),
mctx, &privkey);
if (result == ISC_R_SUCCESS &&
dst_key_pubcompare(dnskey, privkey, false))
{
dst_key_setflags(privkey, flags);
}
dst_key_setflags(dnskey, flags);
}
}
if (result != ISC_R_SUCCESS) {
char filename[DNS_NAME_FORMATSIZE +
DNS_SECALG_FORMATSIZE +
sizeof("key file for //65535")];
isc_result_t result2;
isc_buffer_t buf;
isc_buffer_init(&buf, filename, NAME_MAX);
result2 = dst_key_getfilename(
dst_key_name(dnskey), dst_key_id(dnskey),
dst_key_alg(dnskey),
(DST_TYPE_PUBLIC | DST_TYPE_PRIVATE |
DST_TYPE_STATE),
NULL, mctx, &buf);
if (result2 != ISC_R_SUCCESS) {
char namebuf[DNS_NAME_FORMATSIZE];
char algbuf[DNS_SECALG_FORMATSIZE];
dns_name_format(dst_key_name(dnskey), namebuf,
sizeof(namebuf));
dns_secalg_format(dst_key_alg(dnskey), algbuf,
sizeof(algbuf));
snprintf(filename, sizeof(filename) - 1,
"key file for %s/%s/%d", namebuf,
algbuf, dst_key_id(dnskey));
}
isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
DNS_LOGMODULE_DNSSEC, ISC_LOG_WARNING,
"dns_dnssec_keylistfromrdataset: error "
"reading %s: %s",
filename, isc_result_totext(result));
}
addkey:
if (result == ISC_R_FILENOTFOUND || result == ISC_R_NOPERM) {
if (pubkey != NULL) {
addkey(keylist, &pubkey, savekeys, true, mctx);
} else {
addkey(keylist, &dnskey, savekeys, false, mctx);
}
goto skip;
}
RETERR(result);
/*
* Whatever the key's default TTL may have
* been, the rdataset TTL takes priority.
*/
dst_key_setttl(privkey, dst_key_getttl(dnskey));
addkey(keylist, &privkey, savekeys, false, mctx);
skip:
if (dnskey != NULL) {
dst_key_free(&dnskey);
}
if (pubkey != NULL) {
dst_key_free(&pubkey);
}
if (privkey != NULL) {
dst_key_free(&privkey);
}
}
if (result != ISC_R_NOMORE) {
RETERR(result);
}
if (keysigs != NULL && dns_rdataset_isassociated(keysigs)) {
RETERR(mark_active_keys(keylist, keysigs));
}
if (soasigs != NULL && dns_rdataset_isassociated(soasigs)) {
RETERR(mark_active_keys(keylist, soasigs));
}
result = ISC_R_SUCCESS;
failure:
if (dns_rdataset_isassociated(&keys)) {
dns_rdataset_disassociate(&keys);
}
if (dnskey != NULL) {
dst_key_free(&dnskey);
}
if (pubkey != NULL) {
dst_key_free(&pubkey);
}
if (privkey != NULL) {
dst_key_free(&privkey);
}
return result;
}
isc_result_t
dns_dnssec_make_dnskey(dst_key_t *key, unsigned char *buf, int bufsize,
dns_rdata_t *target) {
isc_result_t result;
isc_buffer_t b;
isc_region_t r;
isc_buffer_init(&b, buf, bufsize);
result = dst_key_todns(key, &b);
if (result != ISC_R_SUCCESS) {
return result;
}
dns_rdata_reset(target);
isc_buffer_usedregion(&b, &r);
dns_rdata_fromregion(target, dst_key_class(key), dns_rdatatype_dnskey,
&r);
return ISC_R_SUCCESS;
}
static isc_result_t
addrdata(dns_rdata_t *rdata, dns_diff_t *diff, const dns_name_t *origin,
dns_ttl_t ttl, isc_mem_t *mctx) {
isc_result_t result;
dns_difftuple_t *tuple = NULL;
RETERR(dns_difftuple_create(mctx, DNS_DIFFOP_ADD, origin, ttl, rdata,
&tuple));
dns_diff_appendminimal(diff, &tuple);
failure:
return result;
}
static isc_result_t
delrdata(dns_rdata_t *rdata, dns_diff_t *diff, const dns_name_t *origin,
dns_ttl_t ttl, isc_mem_t *mctx) {
isc_result_t result;
dns_difftuple_t *tuple = NULL;
RETERR(dns_difftuple_create(mctx, DNS_DIFFOP_DEL, origin, ttl, rdata,
&tuple));
dns_diff_appendminimal(diff, &tuple);
failure:
return result;
}
static isc_result_t
publish_key(dns_diff_t *diff, dns_dnsseckey_t *key, const dns_name_t *origin,
dns_ttl_t ttl, isc_mem_t *mctx,
void (*report)(const char *, ...) ISC_FORMAT_PRINTF(1, 2)) {
isc_result_t result;
unsigned char buf[DST_KEY_MAXSIZE];
char keystr[DST_KEY_FORMATSIZE];
dns_rdata_t dnskey = DNS_RDATA_INIT;
dns_rdata_reset(&dnskey);
RETERR(dns_dnssec_make_dnskey(key->key, buf, sizeof(buf), &dnskey));
dst_key_format(key->key, keystr, sizeof(keystr));
report("Fetching %s (%s) from key %s.", keystr,
key->ksk ? (key->zsk ? "CSK" : "KSK") : "ZSK",
key->source == dns_keysource_user ? "file" : "repository");
if (key->prepublish && ttl > key->prepublish) {
isc_stdtime_t now;
report("Key %s: Delaying activation to match the DNSKEY TTL "
"(%u).",
keystr, ttl);
now = isc_stdtime_now();
dst_key_settime(key->key, DST_TIME_ACTIVATE, now + ttl);
}
/* publish key */
result = addrdata(&dnskey, diff, origin, ttl, mctx);
failure:
return result;
}
static isc_result_t
remove_key(dns_diff_t *diff, dns_dnsseckey_t *key, const dns_name_t *origin,
dns_ttl_t ttl, isc_mem_t *mctx, const char *reason,
void (*report)(const char *, ...) ISC_FORMAT_PRINTF(1, 2)) {
isc_result_t result;
unsigned char buf[DST_KEY_MAXSIZE];
dns_rdata_t dnskey = DNS_RDATA_INIT;
char alg[80];
char namebuf[DNS_NAME_FORMATSIZE];
dns_secalg_format(dst_key_alg(key->key), alg, sizeof(alg));
dns_name_format(dst_key_name(key->key), namebuf, sizeof(namebuf));
report("Removing %s key %s/%d/%s from DNSKEY RRset.", reason, namebuf,
dst_key_id(key->key), alg);
RETERR(dns_dnssec_make_dnskey(key->key, buf, sizeof(buf), &dnskey));
result = delrdata(&dnskey, diff, origin, ttl, mctx);
failure:
return result;
}
static bool
exists(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
isc_result_t result;
dns_rdataset_t trdataset;
dns_rdataset_init(&trdataset);
dns_rdataset_clone(rdataset, &trdataset);
for (result = dns_rdataset_first(&trdataset); result == ISC_R_SUCCESS;
result = dns_rdataset_next(&trdataset))
{
dns_rdata_t current = DNS_RDATA_INIT;
dns_rdataset_current(&trdataset, &current);
if (dns_rdata_compare(rdata, &current) == 0) {
dns_rdataset_disassociate(&trdataset);
return true;
}
}
dns_rdataset_disassociate(&trdataset);
return false;
}
static isc_result_t
add_cds(dns_dnsseckey_t *key, dns_rdata_t *keyrdata, const char *keystr,
dns_rdataset_t *cds, unsigned int digesttype, dns_ttl_t ttl,
dns_diff_t *diff, isc_mem_t *mctx) {
isc_result_t r = ISC_R_SUCCESS;
unsigned char dsbuf[DNS_DS_BUFFERSIZE];
dns_rdata_t cdsrdata = DNS_RDATA_INIT;
dns_name_t *origin = dst_key_name(key->key);
r = dns_ds_buildrdata(origin, keyrdata, digesttype, dsbuf, &cdsrdata);
if (r != ISC_R_SUCCESS) {
char algbuf[DNS_DSDIGEST_FORMATSIZE];
dns_dsdigest_format(digesttype, algbuf,
DNS_DSDIGEST_FORMATSIZE);
isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
DNS_LOGMODULE_DNSSEC, ISC_LOG_ERROR,
"build rdata CDS (%s) for key %s failed", algbuf,
keystr);
return r;
}
cdsrdata.type = dns_rdatatype_cds;
if (!dns_rdataset_isassociated(cds) || !exists(cds, &cdsrdata)) {
char algbuf[DNS_DSDIGEST_FORMATSIZE];
dns_dsdigest_format(digesttype, algbuf,
DNS_DSDIGEST_FORMATSIZE);
isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO,
"CDS (%s) for key %s is now published", algbuf,
keystr);
r = addrdata(&cdsrdata, diff, origin, ttl, mctx);
}
return r;
}
static isc_result_t
delete_cds(dns_dnsseckey_t *key, dns_rdata_t *keyrdata, const char *keystr,
dns_rdataset_t *cds, unsigned int digesttype, dns_diff_t *diff,
isc_mem_t *mctx) {
isc_result_t r = ISC_R_SUCCESS;
unsigned char dsbuf[DNS_DS_BUFFERSIZE];
dns_rdata_t cdsrdata = DNS_RDATA_INIT;
dns_name_t *origin = dst_key_name(key->key);
r = dns_ds_buildrdata(origin, keyrdata, digesttype, dsbuf, &cdsrdata);
if (r != ISC_R_SUCCESS) {
return r;
}
cdsrdata.type = dns_rdatatype_cds;
if (exists(cds, &cdsrdata)) {
char algbuf[DNS_DSDIGEST_FORMATSIZE];
dns_dsdigest_format(digesttype, algbuf,
DNS_DSDIGEST_FORMATSIZE);
isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO,
"CDS (%s) for key %s is now deleted", algbuf,
keystr);
r = delrdata(&cdsrdata, diff, origin, cds->ttl, mctx);
}
return r;
}
isc_result_t
dns_dnssec_syncupdate(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *rmkeys,
dns_rdataset_t *cds, dns_rdataset_t *cdnskey,
isc_stdtime_t now, dns_kasp_digestlist_t *digests,
bool gencdnskey, dns_ttl_t ttl, dns_diff_t *diff,
isc_mem_t *mctx) {
unsigned char keybuf[DST_KEY_MAXSIZE];
isc_result_t result;
dns_dnsseckey_t *key;
dns_ttl_t cdsttl = ttl;
dns_ttl_t cdnskeyttl = ttl;
REQUIRE(digests != NULL);
REQUIRE(keys != NULL);
REQUIRE(rmkeys != NULL);
if (dns_rdataset_isassociated(cds)) {
cdsttl = cds->ttl;
}
if (dns_rdataset_isassociated(cdnskey)) {
cdnskeyttl = cdnskey->ttl;
}
for (key = ISC_LIST_HEAD(*keys); key != NULL;
key = ISC_LIST_NEXT(key, link))
{
dns_rdata_t cdnskeyrdata = DNS_RDATA_INIT;
dns_name_t *origin = dst_key_name(key->key);
RETERR(dns_dnssec_make_dnskey(key->key, keybuf, sizeof(keybuf),
&cdnskeyrdata));
cdnskeyrdata.type = dns_rdatatype_cdnskey;
if (syncpublish(key->key, now)) {
char keystr[DST_KEY_FORMATSIZE];
dst_key_format(key->key, keystr, sizeof(keystr));
for (dns_kasp_digest_t *alg = ISC_LIST_HEAD(*digests);
alg != NULL; alg = ISC_LIST_NEXT(alg, link))
{
RETERR(add_cds(key, &cdnskeyrdata,
(const char *)keystr, cds,
alg->digest, cdsttl, diff,
mctx));
}
if (gencdnskey &&
(!dns_rdataset_isassociated(cdnskey) ||
!exists(cdnskey, &cdnskeyrdata)))
{
isc_log_write(
dns_lctx, DNS_LOGCATEGORY_GENERAL,
DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO,
"CDNSKEY for key %s is now published",
keystr);
RETERR(addrdata(&cdnskeyrdata, diff, origin,
cdnskeyttl, mctx));
}
}
if (syncdelete(key->key, now)) {
char keystr[DST_KEY_FORMATSIZE];
dst_key_format(key->key, keystr, sizeof(keystr));
if (dns_rdataset_isassociated(cds)) {
/* Delete all possible CDS records */
delete_cds(key, &cdnskeyrdata,
(const char *)keystr, cds,
DNS_DSDIGEST_SHA1, diff, mctx);
delete_cds(key, &cdnskeyrdata,
(const char *)keystr, cds,
DNS_DSDIGEST_SHA256, diff, mctx);
delete_cds(key, &cdnskeyrdata,
(const char *)keystr, cds,
DNS_DSDIGEST_SHA384, diff, mctx);
}
if (dns_rdataset_isassociated(cdnskey)) {
if (exists(cdnskey, &cdnskeyrdata)) {
isc_log_write(dns_lctx,
DNS_LOGCATEGORY_GENERAL,
DNS_LOGMODULE_DNSSEC,
ISC_LOG_INFO,
"CDNSKEY for key %s is "
"now deleted",
keystr);
RETERR(delrdata(&cdnskeyrdata, diff,
origin, cdnskey->ttl,
mctx));
}
}
}
}
if (!dns_rdataset_isassociated(cds) &&
!dns_rdataset_isassociated(cdnskey))
{
return ISC_R_SUCCESS;
}
/*
* Unconditionally remove CDS/DNSKEY records for removed keys.
*/
for (key = ISC_LIST_HEAD(*rmkeys); key != NULL;
key = ISC_LIST_NEXT(key, link))
{
dns_rdata_t cdnskeyrdata = DNS_RDATA_INIT;
dns_name_t *origin = dst_key_name(key->key);
char keystr[DST_KEY_FORMATSIZE];
dst_key_format(key->key, keystr, sizeof(keystr));
RETERR(dns_dnssec_make_dnskey(key->key, keybuf, sizeof(keybuf),
&cdnskeyrdata));
if (dns_rdataset_isassociated(cds)) {
delete_cds(key, &cdnskeyrdata, (const char *)keystr,
cds, DNS_DSDIGEST_SHA1, diff, mctx);
delete_cds(key, &cdnskeyrdata, (const char *)keystr,
cds, DNS_DSDIGEST_SHA256, diff, mctx);
delete_cds(key, &cdnskeyrdata, (const char *)keystr,
cds, DNS_DSDIGEST_SHA384, diff, mctx);
}
if (dns_rdataset_isassociated(cdnskey)) {
if (exists(cdnskey, &cdnskeyrdata)) {
isc_log_write(
dns_lctx, DNS_LOGCATEGORY_GENERAL,
DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO,
"CDNSKEY for key %s is now deleted",
keystr);
RETERR(delrdata(&cdnskeyrdata, diff, origin,
cdnskey->ttl, mctx));
}
}
}
result = ISC_R_SUCCESS;
failure:
return result;
}
isc_result_t
dns_dnssec_syncdelete(dns_rdataset_t *cds, dns_rdataset_t *cdnskey,
dns_name_t *origin, dns_rdataclass_t zclass,
dns_ttl_t ttl, dns_diff_t *diff, isc_mem_t *mctx,
bool expect_cds_delete, bool expect_cdnskey_delete) {
unsigned char dsbuf[5] = { 0, 0, 0, 0, 0 }; /* CDS DELETE rdata */
unsigned char keybuf[5] = { 0, 0, 3, 0, 0 }; /* CDNSKEY DELETE rdata */
char namebuf[DNS_NAME_FORMATSIZE];
dns_rdata_t cds_delete = DNS_RDATA_INIT;
dns_rdata_t cdnskey_delete = DNS_RDATA_INIT;
isc_region_t r;
isc_result_t result;
r.base = keybuf;
r.length = sizeof(keybuf);
dns_rdata_fromregion(&cdnskey_delete, zclass, dns_rdatatype_cdnskey,
&r);
r.base = dsbuf;
r.length = sizeof(dsbuf);
dns_rdata_fromregion(&cds_delete, zclass, dns_rdatatype_cds, &r);
dns_name_format(origin, namebuf, sizeof(namebuf));
if (expect_cds_delete) {
if (!dns_rdataset_isassociated(cds) ||
!exists(cds, &cds_delete))
{
isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO,
"CDS (DELETE) for zone %s is now "
"published",
namebuf);
RETERR(addrdata(&cds_delete, diff, origin, ttl, mctx));
}
} else {
if (dns_rdataset_isassociated(cds) && exists(cds, &cds_delete))
{
isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO,
"CDS (DELETE) for zone %s is now "
"deleted",
namebuf);
RETERR(delrdata(&cds_delete, diff, origin, cds->ttl,
mctx));
}
}
if (expect_cdnskey_delete) {
if (!dns_rdataset_isassociated(cdnskey) ||
!exists(cdnskey, &cdnskey_delete))
{
isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO,
"CDNSKEY (DELETE) for zone %s is now "
"published",
namebuf);
RETERR(addrdata(&cdnskey_delete, diff, origin, ttl,
mctx));
}
} else {
if (dns_rdataset_isassociated(cdnskey) &&
exists(cdnskey, &cdnskey_delete))
{
isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO,
"CDNSKEY (DELETE) for zone %s is now "
"deleted",
namebuf);
RETERR(delrdata(&cdnskey_delete, diff, origin,
cdnskey->ttl, mctx));
}
}
result = ISC_R_SUCCESS;
failure:
return result;
}
/*
* Update 'keys' with information from 'newkeys'.
*
* If 'removed' is not NULL, any keys that are being removed from
* the zone will be added to the list for post-removal processing.
*/
isc_result_t
dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
dns_dnsseckeylist_t *removed, const dns_name_t *origin,
dns_ttl_t hint_ttl, dns_diff_t *diff, isc_mem_t *mctx,
void (*report)(const char *, ...)
ISC_FORMAT_PRINTF(1, 2)) {
isc_result_t result;
dns_dnsseckey_t *key, *key1, *key2, *next;
bool found_ttl = false;
dns_ttl_t ttl = hint_ttl;
/*
* First, look through the existing key list to find keys
* supplied from the command line which are not in the zone.
* Update the zone to include them.
*
* Also, if there are keys published in the zone already,
* use their TTL for all subsequent published keys.
*/
for (key = ISC_LIST_HEAD(*keys); key != NULL;
key = ISC_LIST_NEXT(key, link))
{
if (key->source == dns_keysource_user &&
(key->hint_publish || key->force_publish))
{
RETERR(publish_key(diff, key, origin, ttl, mctx,
report));
}
if (key->source == dns_keysource_zoneapex) {
ttl = dst_key_getttl(key->key);
found_ttl = true;
}
}
/*
* If there were no existing keys, use the smallest nonzero
* TTL of the keys found in the repository.
*/
if (!found_ttl && !ISC_LIST_EMPTY(*newkeys)) {
dns_ttl_t shortest = 0;
for (key = ISC_LIST_HEAD(*newkeys); key != NULL;
key = ISC_LIST_NEXT(key, link))
{
dns_ttl_t thisttl = dst_key_getttl(key->key);
if (thisttl != 0 &&
(shortest == 0 || thisttl < shortest))
{
shortest = thisttl;
}
}
if (shortest != 0) {
ttl = shortest;
}
}
/*
* Second, scan the list of newly found keys looking for matches
* with known keys, and update accordingly.
*/
for (key1 = ISC_LIST_HEAD(*newkeys); key1 != NULL; key1 = next) {
bool key_revoked = false;
char keystr1[DST_KEY_FORMATSIZE];
char keystr2[DST_KEY_FORMATSIZE];
next = ISC_LIST_NEXT(key1, link);
for (key2 = ISC_LIST_HEAD(*keys); key2 != NULL;
key2 = ISC_LIST_NEXT(key2, link))
{
int f1 = dst_key_flags(key1->key);
int f2 = dst_key_flags(key2->key);
int nr1 = f1 & ~DNS_KEYFLAG_REVOKE;
int nr2 = f2 & ~DNS_KEYFLAG_REVOKE;
if (nr1 == nr2 &&
dst_key_alg(key1->key) == dst_key_alg(key2->key) &&
dst_key_pubcompare(key1->key, key2->key, true))
{
int r1, r2;
r1 = dst_key_flags(key1->key) &
DNS_KEYFLAG_REVOKE;
r2 = dst_key_flags(key2->key) &
DNS_KEYFLAG_REVOKE;
key_revoked = (r1 != r2);
break;
}
}
/* Printable version of key1 (the newly acquired key) */
dst_key_format(key1->key, keystr1, sizeof(keystr1));
/* No match found in keys; add the new key. */
if (key2 == NULL) {
ISC_LIST_UNLINK(*newkeys, key1, link);
ISC_LIST_APPEND(*keys, key1, link);
if (key1->source != dns_keysource_zoneapex &&
(key1->hint_publish || key1->force_publish))
{
RETERR(publish_key(diff, key1, origin, ttl,
mctx, report));
isc_log_write(
dns_lctx, DNS_LOGCATEGORY_DNSSEC,
DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO,
"DNSKEY %s (%s) is now published",
keystr1,
key1->ksk ? (key1->zsk ? "CSK" : "KSK")
: "ZSK");
if (key1->hint_sign || key1->force_sign) {
key1->first_sign = true;
isc_log_write(
dns_lctx,
DNS_LOGCATEGORY_DNSSEC,
DNS_LOGMODULE_DNSSEC,
ISC_LOG_INFO,
"DNSKEY %s (%s) is now "
"active",
keystr1,
key1->ksk ? (key1->zsk ? "CSK"
: "KSK")
: "ZSK");
}
}
continue;
}
/* Printable version of key2 (the old key, if any) */
dst_key_format(key2->key, keystr2, sizeof(keystr2));
/* Copy key metadata. */
dst_key_copy_metadata(key2->key, key1->key);
/* Match found: remove or update it as needed */
if (key1->hint_remove) {
RETERR(remove_key(diff, key2, origin, ttl, mctx,
"expired", report));
ISC_LIST_UNLINK(*keys, key2, link);
if (removed != NULL) {
ISC_LIST_APPEND(*removed, key2, link);
isc_log_write(
dns_lctx, DNS_LOGCATEGORY_DNSSEC,
DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO,
"DNSKEY %s (%s) is now deleted",
keystr2,
key2->ksk ? (key2->zsk ? "CSK" : "KSK")
: "ZSK");
} else {
dns_dnsseckey_destroy(mctx, &key2);
}
} else if (key_revoked &&
(dst_key_flags(key1->key) & DNS_KEYFLAG_REVOKE) != 0)
{
/*
* A previously valid key has been revoked.
* We need to remove the old version and pull
* in the new one.
*/
RETERR(remove_key(diff, key2, origin, ttl, mctx,
"revoked", report));
ISC_LIST_UNLINK(*keys, key2, link);
if (removed != NULL) {
ISC_LIST_APPEND(*removed, key2, link);
isc_log_write(
dns_lctx, DNS_LOGCATEGORY_DNSSEC,
DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO,
"DNSKEY %s (%s) is now revoked; "
"new ID is %05d",
keystr2,
key2->ksk ? (key2->zsk ? "CSK" : "KSK")
: "ZSK",
dst_key_id(key1->key));
} else {
dns_dnsseckey_destroy(mctx, &key2);
}
RETERR(publish_key(diff, key1, origin, ttl, mctx,
report));
ISC_LIST_UNLINK(*newkeys, key1, link);
ISC_LIST_APPEND(*keys, key1, link);
/*
* XXX: The revoke flag is only defined for trust
* anchors. Setting the flag on a non-KSK is legal,
* but not defined in any RFC. It seems reasonable
* to treat it the same as a KSK: keep it in the
* zone, sign the DNSKEY set with it, but not
* sign other records with it.
*/
key1->ksk = true;
continue;
} else {
if (!key2->is_active &&
(key1->hint_sign || key1->force_sign))
{
key2->first_sign = true;
isc_log_write(
dns_lctx, DNS_LOGCATEGORY_DNSSEC,
DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO,
"DNSKEY %s (%s) is now active", keystr1,
key1->ksk ? (key1->zsk ? "CSK" : "KSK")
: "ZSK");
} else if (key2->is_active && !key1->hint_sign &&
!key1->force_sign)
{
isc_log_write(
dns_lctx, DNS_LOGCATEGORY_DNSSEC,
DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO,
"DNSKEY %s (%s) is now inactive",
keystr1,
key1->ksk ? (key1->zsk ? "CSK" : "KSK")
: "ZSK");
}
key2->hint_sign = key1->hint_sign;
key2->hint_publish = key1->hint_publish;
}
}
/* Free any leftover keys in newkeys */
while (!ISC_LIST_EMPTY(*newkeys)) {
key1 = ISC_LIST_HEAD(*newkeys);
ISC_LIST_UNLINK(*newkeys, key1, link);
dns_dnsseckey_destroy(mctx, &key1);
}
result = ISC_R_SUCCESS;
failure:
return result;
}
isc_result_t
dns_dnssec_matchdskey(dns_name_t *name, dns_rdata_t *dsrdata,
dns_rdataset_t *keyset, dns_rdata_t *keyrdata) {
isc_result_t result;
unsigned char buf[DNS_DS_BUFFERSIZE];
dns_keytag_t keytag;
dns_rdata_dnskey_t key;
dns_rdata_ds_t ds;
isc_region_t r;
result = dns_rdata_tostruct(dsrdata, &ds, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
for (result = dns_rdataset_first(keyset); result == ISC_R_SUCCESS;
result = dns_rdataset_next(keyset))
{
dns_rdata_t newdsrdata = DNS_RDATA_INIT;
dns_rdata_reset(keyrdata);
dns_rdataset_current(keyset, keyrdata);
result = dns_rdata_tostruct(keyrdata, &key, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
dns_rdata_toregion(keyrdata, &r);
keytag = dst_region_computeid(&r);
if (ds.key_tag != keytag || ds.algorithm != key.algorithm) {
continue;
}
result = dns_ds_buildrdata(name, keyrdata, ds.digest_type, buf,
&newdsrdata);
if (result != ISC_R_SUCCESS) {
continue;
}
if (dns_rdata_compare(dsrdata, &newdsrdata) == 0) {
break;
}
}
if (result == ISC_R_NOMORE) {
result = ISC_R_NOTFOUND;
}
return result;
}
View git blame Copy permalink