diff --git a/bin/named/server.c b/bin/named/server.c index bba09ab48f..db7a3062f2 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -14452,6 +14452,10 @@ named_server_signing(named_server_t *server, isc_lex_t *lex, */ saltlen = 8; CHECK(dns_nsec3_generate_salt(salt, saltlen)); + dns_nsec3_log_salt( + named_g_lctx, NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, + salt, saltlen, "generated salt:"); } else if (strcmp(ptr, "-") != 0) { isc_buffer_t buf; diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index 2fea020200..221c954522 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -1578,6 +1578,15 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, dns_kasp_nsec3saltlen( kasp))); salt = saltbuf; + + dns_nsec3_log_salt( + named_g_lctx, + NAMED_LOGCATEGORY_GENERAL, + NAMED_LOGMODULE_SERVER, + ISC_LOG_INFO, salt, + dns_kasp_nsec3saltlen( + kasp), + "generated salt:"); } result = dns_zone_setnsec3param( zone, 1, diff --git a/lib/dns/include/dns/nsec3.h b/lib/dns/include/dns/nsec3.h index a2f22e0fc8..f001fc0acb 100644 --- a/lib/dns/include/dns/nsec3.h +++ b/lib/dns/include/dns/nsec3.h @@ -16,6 +16,7 @@ #include #include +#include #include #include @@ -74,10 +75,18 @@ dns_nsec3_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type); isc_result_t dns_nsec3_generate_salt(unsigned char *salt, size_t saltlen); -/*% +/*%< * Generate a salt with the given salt length. */ +void +dns_nsec3_log_salt(isc_log_t *lctx, isc_logcategory_t *category, + isc_logmodule_t *module, int level, unsigned char *salt, + size_t saltlen, const char *fmt, ...); +/*%< + * Utility to log the salt. + */ + isc_result_t dns_nsec3_hashname(dns_fixedname_t *result, unsigned char rethash[NSEC3_MAX_HASH_LENGTH], diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c index 3feda0ec4e..3dbe33e8d6 100644 --- a/lib/dns/nsec3.c +++ b/lib/dns/nsec3.c @@ -27,7 +27,6 @@ #include #include #include -#include #include #include #include @@ -229,29 +228,46 @@ dns_nsec3_typepresent(dns_rdata_t *rdata, dns_rdatatype_t type) { isc_result_t dns_nsec3_generate_salt(unsigned char *salt, size_t saltlen) { + if (saltlen > 255U) { + return (ISC_R_RANGE); + } + isc_nonce_buf(salt, saltlen); + return (ISC_R_SUCCESS); +} + +void +dns_nsec3_log_salt(isc_log_t *lctx, isc_logcategory_t *category, + isc_logmodule_t *module, int level, unsigned char *salt, + size_t saltlen, const char *fmt, ...) { + va_list ap; + + char message[4096]; unsigned char text[255 * 2 + 1]; isc_region_t r; isc_buffer_t buf; isc_result_t result; - if (saltlen > 255U) { - return (ISC_R_RANGE); + if (!isc_log_wouldlog(dns_lctx, level)) { + return; } - isc_nonce_buf(salt, saltlen); + va_start(ap, fmt); + + vsnprintf(message, sizeof(message), fmt, ap); r.base = salt; r.length = (unsigned int)saltlen; isc_buffer_init(&buf, text, sizeof(text)); result = isc_hex_totext(&r, 2, "", &buf); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - text[saltlen * 2] = 0; + if (result == ISC_R_SUCCESS) { + text[saltlen * 2] = 0; + } else { + text[0] = 0; + } + isc_log_write(lctx, category, module, level, "%s %s", message, text); - isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC, DNS_LOGMODULE_DNSSEC, - ISC_LOG_INFO, "generated salt: %s", text); - - return (ISC_R_SUCCESS); + va_end(ap); } isc_result_t diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in index 2b0383af73..f9e124f3aa 100644 --- a/lib/dns/win32/libdns.def.in +++ b/lib/dns/win32/libdns.def.in @@ -654,6 +654,7 @@ dns_nsec3_delnsec3sx dns_nsec3_generate_salt dns_nsec3_hashlength dns_nsec3_hashname +dns_nsec3_log_salt dns_nsec3_maxiterations dns_nsec3_noexistnodata dns_nsec3_supportedhash