upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-03-16 15:44:00 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Allow dig to SIG(0) sign a message

Browse source
This commit is contained in:
Mark Andrews 2022-03-14 13:43:07 +11:00 committed by Petr Špaček
parent c127a2aefc
commit 4d248ee78e
No known key found for this signature in database
GPG key ID: ABD587CDF06581AE
3 changed files with 46 additions and 24 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
bin/dig/dig.rst
View file

@ -132,12 +132,14 @@ Options
.. option:: -k keyfile
This option tells :iscman:`named` to sign queries using TSIG using a key read from the given file. Key
files can be generated using :iscman:`tsig-keygen`. When using TSIG
authentication with :program:`dig`, the name server that is queried needs to
know the key and algorithm that is being used. In BIND, this is done
by providing appropriate ``key`` and ``server`` statements in
:iscman:`named.conf`.
This option tells :program:`dig` to sign queries using TSIG or
SIG(0) using a key read from the given file. Key files can be
generated using :iscman:`tsig-keygen`. When using TSIG authentication
with :program:`dig`, the name server that is queried needs to
know the key and algorithm that is being used. In BIND, this is
done by providing appropriate ``key`` and ``server`` statements
in :iscman:`named.conf` for TSIG and by looking up the KEY record
in zone data for SIG(0).
.. option:: -m

42
bin/dig/dighost.c
View file

@ -143,6 +143,7 @@ const dns_name_t *hmacname = NULL;
unsigned int digestbits = 0;
isc_buffer_t *namebuf = NULL;
dns_tsigkey_t *tsigkey = NULL;
dst_key_t *sig0key = NULL;
bool validated = true;
bool debugging = false;
bool debugtiming = false;
@ -1141,6 +1142,10 @@ setup_file_key(void) {
debug("setup_file_key()");
if (sig0key != NULL) {
dst_key_free(&sig0key);
}
/* Try reading the key from a K* pair */
result = dst_key_fromnamedfile(
keyfile, NULL, DST_TYPE_PRIVATE | DST_TYPE_KEY, mctx, &dstkey);
@ -1178,18 +1183,20 @@ setup_file_key(void) {
case DST_ALG_HMACSHA512:
hmacname = DNS_TSIG_HMACSHA512_NAME;
break;
default:
printf(";; Couldn't create key %s: bad algorithm\n",
keynametext);
goto failure;
}
result = dns_tsigkey_createfromkey(dst_key_name(dstkey), hmacname,
dstkey, false, NULL, 0, 0, mctx,
NULL, &tsigkey);
if (result != ISC_R_SUCCESS) {
printf(";; Couldn't create key %s: %s\n", keynametext,
isc_result_totext(result));
goto failure;
if (hmacname != NULL) {
result = dns_tsigkey_createfromkey(
dst_key_name(dstkey), hmacname, dstkey, false, NULL, 0,
0, mctx, NULL, &tsigkey);
if (result != ISC_R_SUCCESS) {
printf(";; Couldn't create key %s: %s\n", keynametext,
isc_result_totext(result));
goto failure;
}
} else {
dst_key_attach(dstkey, &sig0key);
dst_key_free(&dstkey);
}
failure:
if (dstkey != NULL) {
@ -2425,6 +2432,10 @@ setup_lookup(dig_lookup_t *lookup) {
debug("initializing keys");
result = dns_message_settsigkey(lookup->sendmsg, tsigkey);
check_result(result, "dns_message_settsigkey");
} else if (sig0key != NULL) {
debug("initializing keys");
result = dns_message_setsig0key(lookup->sendmsg, sig0key);
check_result(result, "dns_message_setsig0key");
}
lookup->sendspace = isc_mem_get(mctx, COMMSIZE);
@ -4654,10 +4665,17 @@ destroy_libs(void) {
clear_searchlist();
if (tsigkey != NULL) {
debug("freeing key %p", tsigkey);
debug("freeing TSIG key %p", tsigkey);
dns_tsigkey_detach(&tsigkey);
}
if (sig0key != NULL) {
debug("freeing SIG(0) key %p", sig0key);
dst_key_free(&sig0key);
}
if (namebuf != NULL) {
debug("freeing key %p", tsigkey);
isc_buffer_free(&namebuf);
}

14
doc/man/dig.1in
View file

@ -153,12 +153,14 @@ Print a usage summary.
.INDENT 0.0
.TP
.B \-k keyfile
This option tells \fI\%named\fP to sign queries using TSIG using a key read from the given file. Key
files can be generated using \fI\%tsig\-keygen\fP\&. When using TSIG
authentication with \fBdig\fP, the name server that is queried needs to
know the key and algorithm that is being used. In BIND, this is done
by providing appropriate \fBkey\fP and \fBserver\fP statements in
\fI\%named.conf\fP\&.
This option tells \fBdig\fP to sign queries using TSIG or
SIG(0) using a key read from the given file. Key files can be
generated using \fI\%tsig\-keygen\fP\&. When using TSIG authentication
with \fBdig\fP, the name server that is queried needs to
know the key and algorithm that is being used. In BIND, this is
done by providing appropriate \fBkey\fP and \fBserver\fP statements
in \fI\%named.conf\fP for TSIG and by looking up the KEY record
in zone data for SIG(0).
.UNINDENT
.INDENT 0.0
.TP