diff --git a/CHANGES b/CHANGES index 8dff7c385a..02039514d0 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2183. [bug] dnssec-signzone didn't handle offline private keys + well. [RT #16832] + 2182. [bug] dns_dispatch_createtcp() and dispatch_createudp() could return ISC_R_SUCCESS when they ran out of memory. [RT #16365] diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index 46650a5635..b8e11010d3 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -16,7 +16,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-signzone.c,v 1.199 2006/08/30 22:57:16 marka Exp $ */ +/* $Id: dnssec-signzone.c,v 1.200 2007/05/18 05:50:35 marka Exp $ */ /*! \file */ @@ -1481,7 +1481,7 @@ loadzonekeys(dns_db_t *db) { for (i = 0; i < nkeys; i++) { signer_key_t *key; - key = newkeystruct(keys[i], ISC_TRUE); + key = newkeystruct(keys[i], dst_key_isprivate(keys[i])); ISC_LIST_APPEND(keylist, key, link); } dns_db_detachnode(db, &node); diff --git a/bin/named/update.c b/bin/named/update.c index f0feeb8281..22bcf23bad 100644 --- a/bin/named/update.c +++ b/bin/named/update.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: update.c,v 1.132 2007/03/29 23:47:04 tbox Exp $ */ +/* $Id: update.c,v 1.133 2007/05/18 05:50:35 marka Exp $ */ #include @@ -1658,6 +1658,9 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name, if (check_ksk && type != dns_rdatatype_dnskey && (dst_key_flags(keys[i]) & DNS_KEYFLAG_KSK) != 0) continue; + + if (!dst_key_isprivate(keys[i])) + continue; /* Calculate the signature, creating a RRSIG RDATA. */ CHECK(dns_dnssec_sign(name, &rdataset, keys[i], diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c index 729b196f22..28c470f18e 100644 --- a/lib/dns/dnssec.c +++ b/lib/dns/dnssec.c @@ -16,7 +16,7 @@ */ /* - * $Id: dnssec.c,v 1.87 2006/03/07 00:34:55 marka Exp $ + * $Id: dnssec.c,v 1.88 2007/05/18 05:50:35 marka Exp $ */ /*! \file */ @@ -531,6 +531,9 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver, dst_key_t *pubkey = NULL; unsigned int count = 0; + REQUIRE(nkeys != NULL); + REQUIRE(keys != NULL); + *nkeys = 0; dns_rdataset_init(&rdataset); RETERR(dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey, 0, 0, @@ -540,7 +543,8 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver, pubkey = NULL; dns_rdataset_current(&rdataset, &rdata); RETERR(dns_dnssec_keyfromrdata(name, &rdata, mctx, &pubkey)); - if (!is_zone_key(pubkey)) + if (!is_zone_key(pubkey) || + (dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0) goto next; keys[count] = NULL; result = dst_key_fromfile(dst_key_name(pubkey), @@ -549,17 +553,23 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver, DST_TYPE_PUBLIC|DST_TYPE_PRIVATE, directory, mctx, &keys[count]); - if (result == ISC_R_FILENOTFOUND) + if (result == ISC_R_FILENOTFOUND) { + keys[count] = pubkey; + pubkey = NULL; + count++; goto next; + } if (result != ISC_R_SUCCESS) goto failure; if ((dst_key_flags(keys[count]) & DNS_KEYTYPE_NOAUTH) != 0) { + /* We should never get here. */ dst_key_free(&keys[count]); goto next; } count++; next: - dst_key_free(&pubkey); + if (pubkey != NULL) + dst_key_free(&pubkey); dns_rdata_reset(&rdata); result = dns_rdataset_next(&rdataset); } @@ -575,6 +585,9 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver, dns_rdataset_disassociate(&rdataset); if (pubkey != NULL) dst_key_free(&pubkey); + if (result != ISC_R_SUCCESS) + while (count > 0) + dst_key_free(&keys[--count]); *nkeys = count; return (result); }