From 75ae74f8fd0847817bce2db7c868b179db67f019 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 12 Aug 2013 15:37:51 +1000 Subject: [PATCH] 3629. [func] Allow the printing of cryptographic fields in DNSSEC records by dig to be suppressed (dig +nocrypto). [RT #34534] --- CHANGES | 4 ++++ bin/dig/dig.c | 19 +++++++++++++++++-- bin/dig/dig.docbook | 15 +++++++++++++++ bin/tests/system/dnssec/tests.sh | 13 +++++++++++++ lib/dns/include/dns/masterdump.h | 3 +++ lib/dns/rdata/generic/dlv_32769.c | 13 ++++++++----- lib/dns/rdata/generic/dnskey_48.c | 22 +++++++++++++++------- lib/dns/rdata/generic/ds_43.c | 13 ++++++++----- lib/dns/rdata/generic/rrsig_46.c | 14 +++++++++----- 9 files changed, 92 insertions(+), 24 deletions(-) diff --git a/CHANGES b/CHANGES index 809748baa7..249f09e654 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +3629. [func] Allow the printing of cryptographic fields in DNSSEC + records by dig to be suppressed (dig +nocrypto). + [RT #34534] + 3628. [func] Report DNSKEY key id's when dumping the cache. [RT #34533] diff --git a/bin/dig/dig.c b/bin/dig/dig.c index 6ed7d9bc76..2b84161ebd 100644 --- a/bin/dig/dig.c +++ b/bin/dig/dig.c @@ -67,7 +67,8 @@ static char domainopt[DNS_NAME_MAXTEXT]; static isc_boolean_t short_form = ISC_FALSE, printcmd = ISC_TRUE, ip6_int = ISC_FALSE, plusquest = ISC_FALSE, pluscomm = ISC_FALSE, multiline = ISC_FALSE, nottl = ISC_FALSE, noclass = ISC_FALSE, - onesoa = ISC_FALSE, rrcomments = ISC_FALSE, use_usec = ISC_FALSE; + onesoa = ISC_FALSE, rrcomments = ISC_FALSE, use_usec = ISC_FALSE, + nocrypto = ISC_FALSE; static isc_uint32_t splitwidth = 0xffffffff; /*% opcode text */ @@ -205,6 +206,8 @@ help(void) { " +[no]comments (Control display of comment lines)\n" " +[no]rrcomments (Control display of per-record " "comments)\n" +" +[no]crypto (Control display of cryptographic " + "fields in records)\n" " +[no]question (Control display of question)\n" " +[no]answer (Control display of answer)\n" " +[no]authority (Control display of authority)\n" @@ -321,6 +324,7 @@ say_message(dns_rdata_t *rdata, dig_query_t *query, isc_buffer_t *buf) { isc_uint64_t diff; isc_time_t now; char store[sizeof("12345678901234567890")]; + unsigned int styleflags = 0; if (query->lookup->trace || query->lookup->ns_search_only) { result = dns_rdatatype_totext(rdata->type, buf); @@ -328,7 +332,10 @@ say_message(dns_rdata_t *rdata, dig_query_t *query, isc_buffer_t *buf) { return (result); ADD_STRING(buf, " "); } - result = dns_rdata_totext(rdata, NULL, buf); + + if (nocrypto) + styleflags |= DNS_STYLEFLAG_NOCRYPTO; + result = dns_rdata_tofmttext(rdata, NULL, styleflags, 0, 60, " ", buf); if (result == ISC_R_NOSPACE) return (result); check_result(result, "dns_rdata_totext"); @@ -416,6 +423,8 @@ printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset, styleflags |= DNS_STYLEFLAG_NO_CLASS; if (rrcomments) styleflags |= DNS_STYLEFLAG_RRCOMMENT; + if (nocrypto) + styleflags |= DNS_STYLEFLAG_NOCRYPTO; if (multiline) { styleflags |= DNS_STYLEFLAG_OMIT_OWNER; styleflags |= DNS_STYLEFLAG_OMIT_CLASS; @@ -471,6 +480,8 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) { styleflags |= DNS_STYLEFLAG_NO_TTL; if (noclass) styleflags |= DNS_STYLEFLAG_NO_CLASS; + if (nocrypto) + styleflags |= DNS_STYLEFLAG_NOCRYPTO; if (multiline) { styleflags |= DNS_STYLEFLAG_OMIT_OWNER; styleflags |= DNS_STYLEFLAG_OMIT_CLASS; @@ -863,6 +874,10 @@ plus_option(char *option, isc_boolean_t is_batchfile, if (lookup == default_lookup) pluscomm = state; break; + case 'r': + FULLCHECK("crypto"); + nocrypto = ISC_TF(!state); + break; default: goto invalid_option; } diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook index 028f0fcd73..77f8694767 100644 --- a/bin/dig/dig.docbook +++ b/bin/dig/dig.docbook @@ -612,6 +612,21 @@ + + + + + Toggle the display of cryptographic fields in DNSSEC records. + The contents of these field are unnecessary to debug most DNSSEC + validation failures and removing them makes it easier to see + the common failures. The default is to display the fields. + When omitted they are replaced by the string "[omitted]" or + in the DNSKEY case the key id is displayed as the replacement, + e.g. "[ key id = value ]". + + + + diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 1e92dd20a4..40c4696759 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -2282,5 +2282,18 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo "I:failed"; fi status=`expr $status + $ret` +echo "I:check dig's +nocrypto flag ($n)" +ret=0 +$DIG $DIGOPTS +norec +nocrypto DNSKEY . \ + @10.53.0.1 > dig.out.dnskey.ns1.test$n || ret=1 +grep '256 3 1 \[key id = [1-9][0-9]*]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1 +grep 'RRSIG.* \[omitted]' dig.out.dnskey.ns1.test$n > /dev/null || ret=1 +$DIG $DIGOPTS +norec +nocrypto DS example \ + @10.53.0.1 > dig.out.ds.ns1.test$n || ret=1 +grep 'DS.* 3 [12] \[omitted]' dig.out.ds.ns1.test$n > /dev/null || ret=1 +n=`expr $n + 1` +if [ $ret != 0 ]; then echo "I:failed"; fi +status=`expr $status + $ret` + echo "I:exit status: $status" exit $status diff --git a/lib/dns/include/dns/masterdump.h b/lib/dns/include/dns/masterdump.h index 8631248cc2..c229b983ac 100644 --- a/lib/dns/include/dns/masterdump.h +++ b/lib/dns/include/dns/masterdump.h @@ -100,6 +100,9 @@ typedef struct dns_master_style dns_master_style_t; /*% Report re-signing time. */ #define DNS_STYLEFLAG_RESIGN 0x04000000U +/*% Don't printout the cryptographic parts of DNSSEC records. */ +#define DNS_STYLEFLAG_NOCRYPTO 0x08000000U + ISC_LANG_BEGINDECLS /*** diff --git a/lib/dns/rdata/generic/dlv_32769.c b/lib/dns/rdata/generic/dlv_32769.c index ae7e7d7832..08d0ed4cf1 100644 --- a/lib/dns/rdata/generic/dlv_32769.c +++ b/lib/dns/rdata/generic/dlv_32769.c @@ -136,11 +136,14 @@ totext_dlv(ARGS_TOTEXT) { if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) RETERR(str_totext(" (", target)); RETERR(str_totext(tctx->linebreak, target)); - if (tctx->width == 0) /* No splitting */ - RETERR(isc_hex_totext(&sr, 0, "", target)); - else - RETERR(isc_hex_totext(&sr, tctx->width - 2, - tctx->linebreak, target)); + if ((tctx->flags & DNS_STYLEFLAG_NOCRYPTO) == 0) { + if (tctx->width == 0) /* No splitting */ + RETERR(isc_hex_totext(&sr, 0, "", target)); + else + RETERR(isc_hex_totext(&sr, tctx->width - 2, + tctx->linebreak, target)); + } else + RETERR(str_totext("[omitted]", target)); if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) RETERR(str_totext(" )", target)); return (ISC_R_SUCCESS); diff --git a/lib/dns/rdata/generic/dnskey_48.c b/lib/dns/rdata/generic/dnskey_48.c index 688e7ac5e1..42c14b17f4 100644 --- a/lib/dns/rdata/generic/dnskey_48.c +++ b/lib/dns/rdata/generic/dnskey_48.c @@ -73,11 +73,12 @@ fromtext_dnskey(ARGS_FROMTEXT) { static inline isc_result_t totext_dnskey(ARGS_TOTEXT) { isc_region_t sr; - char buf[sizeof("64000")]; + char buf[sizeof("[key id = 64000]")]; unsigned int flags; unsigned char algorithm; char algbuf[DNS_NAME_FORMATSIZE]; const char *keyinfo; + isc_region_t tmpr; REQUIRE(rdata->type == 48); REQUIRE(rdata->length != 0); @@ -129,11 +130,19 @@ totext_dnskey(ARGS_TOTEXT) { if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) RETERR(str_totext(" (", target)); RETERR(str_totext(tctx->linebreak, target)); - if (tctx->width == 0) /* No splitting */ - RETERR(isc_base64_totext(&sr, 0, "", target)); - else - RETERR(isc_base64_totext(&sr, tctx->width - 2, - tctx->linebreak, target)); + + if ((tctx->flags & DNS_STYLEFLAG_NOCRYPTO) == 0) { + if (tctx->width == 0) /* No splitting */ + RETERR(isc_base64_totext(&sr, 0, "", target)); + else + RETERR(isc_base64_totext(&sr, tctx->width - 2, + tctx->linebreak, target)); + } else { + dns_rdata_toregion(rdata, &tmpr); + snprintf(buf, sizeof(buf), "[key id = %u]", + dst_region_computeid(&tmpr, algorithm)); + RETERR(str_totext(buf, target)); + } if ((tctx->flags & DNS_STYLEFLAG_RRCOMMENT) != 0) RETERR(str_totext(tctx->linebreak, target)); @@ -144,7 +153,6 @@ totext_dnskey(ARGS_TOTEXT) { RETERR(str_totext(")", target)); if ((tctx->flags & DNS_STYLEFLAG_RRCOMMENT) != 0) { - isc_region_t tmpr; RETERR(str_totext(" ; ", target)); RETERR(str_totext(keyinfo, target)); diff --git a/lib/dns/rdata/generic/ds_43.c b/lib/dns/rdata/generic/ds_43.c index bbcadc43f4..d81a2288b3 100644 --- a/lib/dns/rdata/generic/ds_43.c +++ b/lib/dns/rdata/generic/ds_43.c @@ -135,11 +135,14 @@ totext_ds(ARGS_TOTEXT) { if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) RETERR(str_totext(" (", target)); RETERR(str_totext(tctx->linebreak, target)); - if (tctx->width == 0) /* No splitting */ - RETERR(isc_hex_totext(&sr, 0, "", target)); - else - RETERR(isc_hex_totext(&sr, tctx->width - 2, - tctx->linebreak, target)); + if ((tctx->flags & DNS_STYLEFLAG_NOCRYPTO) == 0) { + if (tctx->width == 0) /* No splitting */ + RETERR(isc_hex_totext(&sr, 0, "", target)); + else + RETERR(isc_hex_totext(&sr, tctx->width - 2, + tctx->linebreak, target)); + } else + RETERR(str_totext("[omitted]", target)); if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) RETERR(str_totext(" )", target)); return (ISC_R_SUCCESS); diff --git a/lib/dns/rdata/generic/rrsig_46.c b/lib/dns/rdata/generic/rrsig_46.c index 58a327c02e..01551e303d 100644 --- a/lib/dns/rdata/generic/rrsig_46.c +++ b/lib/dns/rdata/generic/rrsig_46.c @@ -223,11 +223,15 @@ totext_rrsig(ARGS_TOTEXT) { * Sig. */ RETERR(str_totext(tctx->linebreak, target)); - if (tctx->width == 0) /* No splitting */ - RETERR(isc_base64_totext(&sr, 60, "", target)); - else - RETERR(isc_base64_totext(&sr, tctx->width - 2, - tctx->linebreak, target)); + if ((tctx->flags & DNS_STYLEFLAG_NOCRYPTO) == 0) { + if (tctx->width == 0) /* No splitting */ + RETERR(isc_base64_totext(&sr, 60, "", target)); + else + RETERR(isc_base64_totext(&sr, tctx->width - 2, + tctx->linebreak, target)); + } else + RETERR(str_totext("[omitted]", target)); + if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) RETERR(str_totext(" )", target));